Suse
Monthly
Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables attackers who have already achieved renderer process compromise to escape certain navigation-level security controls via a crafted HTML page. The flaw resides in the PageInfo component, which handles page metadata, security indicators, and related navigation policy enforcement, and fails to adequately validate attacker-controlled input passed from a compromised renderer. With an EPSS of 0.22% (13th percentile), no CISA KEV listing, and a Chromium-internal severity of Low, real-world exploitation risk is currently low despite the CVSS 6.5 medium rating.
Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Out-of-bounds read in Chrome's Chromecast component allows a local attacker to leak sensitive contents from the browser's process memory by delivering malicious network traffic to the affected subsystem. Affected versions are all Chrome releases prior to 150.0.7871.47 on desktop platforms. No public exploit code or CISA KEV listing is identified at time of analysis, and Google's own severity rating is Low, though the CVSS confidentiality impact is scored High due to potential direct process memory exposure.
Process memory disclosure in Google Chrome's Views UI framework on ChromeOS allows a crafted extension, once installed by a user, to read potentially sensitive data from Chrome's process memory. All ChromeOS Chrome versions prior to 150.0.7871.47 are affected; desktop Chrome on Windows, macOS, and Linux is not confirmed in scope. No public exploit has been identified at time of analysis, and Chromium's own internal severity rating is Low - tempering the NVD CVSS 5.9 score - indicating Google's security team assessed limited practical exploitability.
Process memory disclosure in Google Chrome's Dawn WebGPU component (versions prior to 150.0.7871.47) enables remote attackers to read potentially sensitive data from the browser's process memory by luring a victim to a crafted HTML page. The flaw is categorized under CWE-284 (Improper Access Control) within the Dawn graphics abstraction layer, which underpins Chrome's WebGPU implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and Google's own Chromium security team rates the severity as Low despite the NVD CVSS score of 6.5.
Local privilege escalation in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows before 150.0.7871.47 allows a local attacker who plants a malicious file to elevate privileges after the victim interacts with it. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a 7.8 CVSS but was rated Low severity by Chromium's own team. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.13%, 3rd percentile), consistent with a local, interaction-dependent issue rather than a mass-exploitable one.
Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the Related-Website-Sets feature, enabling a remote attacker to read sensitive cross-origin data by delivering a crafted HTML page to a victim. The CVSS 6.5 score with High confidentiality impact reflects meaningful exposure potential, though Google internally rated this as Low severity and EPSS sits at 0.17% (7th percentile), suggesting limited real-world exploitation risk. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor patch is available.
Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the browser's Parser component, allowing a remote unauthenticated attacker to circumvent CSP protections via a crafted HTML page. The attacker achieves limited integrity impact (I:L) - able to load or execute content that a properly enforced CSP would block - but gains no confidentiality or availability impact. EPSS is low at 0.22% (13th percentile), no active exploitation has been confirmed (not in CISA KEV), and Chromium internally rated this Low severity, making it a real but low-priority finding.
Same-origin policy bypass in Google Chrome's FedCM (Federated Credential Management) implementation allows remote attackers to perform limited cross-origin integrity manipulation by luring a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. With an EPSS of 0.18% (8th percentile), no CISA KEV listing, and no public exploit identified, this represents a low-probability exploitation scenario despite being trivially deliverable via a web page.
Sandbox escape in Google Chrome's Media component before version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to break out of the sandbox using a crafted video file. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a scope-changing CVSS 3.1 score of 9.6, though Google rated the underlying Chromium severity as Low and no public exploit has been identified at time of analysis. EPSS is low at 0.16% (6th percentile), and it is not listed in CISA KEV.
Sandbox escape in Google Chrome on Windows prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by feeding crafted input to the Device Trust component via a malicious HTML page. NVD scores this 9.6 (Critical) while Google rates the Chromium security severity as Low, and there is no public exploit identified at time of analysis. EPSS is very low at 0.17% (7th percentile), and it is not listed in CISA KEV.
Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-layer policy enforcement by inducing a user to visit a specially crafted HTML page. Rooted in CWE-602 (client-side enforcement of server-side security), the flaw means Chrome's network policy checks governing navigation can be subverted client-side, yielding a low-integrity impact with no confidentiality or availability consequence. No public exploit has been identified and the EPSS exploitation probability stands at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating - this is a low-urgency but genuine policy-enforcement gap.
Cross-origin data leakage in Google Chrome's Extensions subsystem (versions prior to 150.0.7871.47) enables a remote attacker - who has first achieved renderer process compromise - to bypass same-origin policy enforcement and read cross-origin data via a specially crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error) and rated Low severity by the Chromium security team. EPSS is extremely low at 0.17% (7th percentile), no CISA KEV listing exists, and no public exploit code has been identified, consistent with the significant chained exploitation barrier imposed by the renderer-compromise prerequisite.
FileSystem policy enforcement bypass in Google Chrome prior to version 150.0.7871.47 allows a remote attacker to circumvent discretionary access control via a crafted HTML page, resulting in limited unauthorized write operations within the browser's sandboxed filesystem scope. The vulnerability requires user interaction - the victim must navigate to a malicious page - and produces only an integrity impact (I:L) with no confidentiality or availability consequence. With an EPSS of 0.18% (8th percentile) and no CISA KEV listing, real-world exploitation probability is very low; no public exploit has been identified at time of analysis.
Uninitialized memory exposure in Google Chrome's GamepadAPI allows an attacker who has already achieved renderer process compromise to read potentially sensitive contents from process memory by serving a crafted HTML page that triggers the flaw. Affected versions are all Chrome releases prior to 150.0.7871.47. While the CVSS base score is 6.5 with high confidentiality impact, Chromium's own severity rating is Low, reflecting the significant prerequisite of prior renderer compromise that dramatically constrains real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis, and a vendor patch is available.
Cross-origin data leakage in Google Chrome's Passwords component prior to version 150.0.7871.47 enables remote attackers to exfiltrate credential-related or other sensitive cross-origin data by directing victims to a crafted HTML page. The root cause (CWE-693, Protection Mechanism Failure) represents a breakdown in the policy enforcement layer governing cross-origin access in the Passwords subsystem - a bypass of the isolation guarantees Chrome's same-origin model is meant to provide. No public exploit has been identified at time of analysis; EPSS of 0.17% (7th percentile) and the absence of a CISA KEV listing place real-world exploitation probability very low, and Chromium's own team rated the severity as Low despite the NVD CVSS 6.5 Medium score.
Memory disclosure in Google Chrome's GPU component (prior to 150.0.7871.47) allows an attacker who has already achieved renderer process compromise to extract potentially sensitive information from process memory via a crafted HTML page. The attack requires both user interaction and a pre-existing renderer compromise, making this a second-stage vulnerability most useful for ASLR bypass or credential harvesting within an exploit chain. No public exploit code or active exploitation (CISA KEV) has been identified; Google rates this as Low severity internally despite the NVD CVSS 5.3 Medium score.
Use-after-free in Chrome's Chromecast component exposes process memory to attackers on the same local network segment via a malicious peripheral, affecting all Chrome versions prior to 150.0.7871.47. The vulnerability carries a CVSS 3.1 score of 6.5 with high confidentiality impact (C:H), meaning successful exploitation leaks potentially sensitive data from the Chrome process heap. No public exploit or CISA KEV listing is identified at time of analysis, and Google has released a patch in the stable channel.
Content Security Policy bypass in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 allows an attacker who socially engineers a victim into installing a crafted malicious extension to circumvent CSP protections, yielding limited integrity impact. CVSS UI:R and EPSS at 0.12% (2nd percentile) confirm this is a low-probability, user-interaction-dependent attack with no confidentiality or availability consequence. No KEV listing, no known POC, and Google's own 'Low' severity rating collectively position this as a low operational priority despite broad product prevalence.
Same-origin policy bypass in Google Chrome's CustomTabs component on Android (versions prior to 150.0.7871.47) permits remote attackers to perform limited cross-origin integrity violations by directing a victim to a crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error), meaning Chrome's CustomTabs implementation incorrectly validates or enforces origin boundaries when rendering attacker-controlled content. No active exploitation has been confirmed (not in CISA KEV) and the EPSS score of 0.18% (8th percentile) reflects very low observed exploitation probability, consistent with the Low severity rating assigned by the Chromium security team.
Cross-origin data leakage in Google Chrome's Network component (versions prior to 150.0.7871.47) enables a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data via a specially crafted HTML page. This is a chained vulnerability - renderer-process compromise is a hard prerequisite, meaning real-world risk is substantially lower than the network-accessible CVSS vector implies. No public exploit code has been identified and EPSS sits at the 7th percentile (0.17%), consistent with limited exploitation interest. Google has released a fix in the stable channel update to 150.0.7871.47.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) and is second-stage: it is not directly exploitable from the open web without a prior renderer compromise. No public exploit has been identified at time of analysis, and its EPSS exploitation probability is low (0.17%, 7th percentile); notably, Google rated the Chromium security severity as Low despite the NVD CVSS of 9.6.
Sandbox escape in Google Chrome's GetUserMedia (media capture) implementation before version 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own security team; despite an NVD CVSS of 9.6, Chromium rates its severity Low, and there is no public exploit identified at time of analysis with an EPSS of only 0.17% (7th percentile).
Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Serial (Web Serial API) component, allowing a remote attacker who lures a victim to a crafted HTML page to escalate privileges within the browser. Note the signal conflict: NVD scores this 8.8 (High) with high confidentiality/integrity/availability impact, yet Chromium's own triage rates the security severity as Low. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS is very low at 0.17% (7th percentile).
Heap corruption in Google Chrome's BrowserTag component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by a crafted Chrome extension. An attacker who convinces a victim to install a malicious extension can potentially exploit the freed-memory condition to corrupt the heap and execute code. No public exploit identified at time of analysis, and EPSS is low (0.12%, 2nd percentile), consistent with the Chromium team's own 'Low' severity rating despite the NVD CVSS of 8.8.
Same-origin policy bypass in Google Chrome's GetUserMedia implementation prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to achieve limited cross-origin integrity impact by delivering a crafted HTML page to a victim. Chromium's own severity classification is Low, consistent with the CVSS 4.3 score and an EPSS exploitation probability of just 0.18% (8th percentile). No public exploit code and no active exploitation have been identified at time of analysis; Google has issued a remediated build in Chrome 150.0.7871.47.
Sandbox escape in Google Chrome's New Tab Page prior to 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) and requires a pre-existing renderer foothold, making it a second-stage exploit rather than an initial-access vector. Google rated the Chromium severity as Low; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile).
Sandbox escape in Google Chrome's GPU process before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page. The flaw is a protection-mechanism failure (CWE-693) that Google patched in the June 2026 Stable channel update; Chromium rated its intrinsic severity Low because it is only useful as the second link in an exploit chain, and no public exploit has been identified at time of analysis. EPSS probability is low (0.17%, 7th percentile), consistent with a chained bug rather than a mass-exploitable entry point.
Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Bluetooth subsystem, letting a remote attacker who lures a victim to a crafted HTML page cross a security boundary the browser is supposed to guard. Google's Chrome release channel and the NVD-assigned CVSS 3.1 base score of 8.8 (High) diverge from Chromium's own internal 'Low' severity rating, signaling the practical impact is likely narrower than the raw score implies. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.17% (7th percentile), consistent with no active exploitation reported.
Insufficient Bluetooth policy enforcement in Google Chrome prior to 150.0.7871.47 allows remote attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 Medium at NVD, though Chromium's own severity rating is 'Low,' suggesting Chrome's sandbox architecture limits practical memory exposure. No public exploit code or active exploitation has been identified at time of analysis.
WebXR implementation flaw in Google Chrome on Android prior to 150.0.7871.47 permits remote attackers to bypass navigation restrictions by delivering a crafted HTML page to a victim. The vulnerability is Android-specific and requires user interaction to trigger, constraining its reach. With no CISA KEV listing, no public exploit identified at time of analysis, and an EPSS of 0.18% (8th percentile), this represents a low-priority integrity issue that Google itself rates as Low severity.
Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.
Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)
Inappropriate implementation in File Input in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Omnibox (URL bar) spoofing in Google Chrome on Linux prior to 150.0.7871.47 is possible through an inappropriate SplitView implementation, allowing remote attackers to display false URLs to victims who are tricked into performing specific UI gestures on a crafted HTML page. This CWE-451 class flaw undermines browser trust indicators and enables phishing scenarios, though exploitation is constrained by high attack complexity and mandatory user interaction. No public exploit code or active exploitation has been identified; a vendor patch is available in the stable channel release.
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to misrepresent security indicators to users who are socially engineered into performing specific UI gestures on a crafted HTML page. The root cause is incorrect rendering of security UI elements (CWE-451), classified by the Chromium team as Low severity. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog, aligning with the modest CVSS 4.2 score and the high-complexity attack requirements.
Use-after-free in Google Chrome's SignIn component (versions prior to 150.0.7871.47) allows a remote attacker to trigger heap corruption and potentially achieve code execution after luring a victim to a crafted HTML page and performing specific UI gestures. No public exploit was identified at time of analysis, and with an EPSS of 0.17% (7th percentile) and Chromium-rated 'Low' severity, near-term mass exploitation appears unlikely despite the high 8.8 CVSS. The flaw is patched in the current stable channel and is not listed in CISA KEV.
UI spoofing via incorrect security rendering in Chrome's SplitView component allows a remote attacker to misrepresent security-critical UI elements to a victim running any Chrome version prior to 150.0.7871.47. The attacker must serve a crafted HTML page and successfully induce the victim into performing specific UI gestures, after which SplitView renders misleading security indicators - enabling phishing-class deception within a trusted browser context. No public exploit code exists and no active exploitation has been confirmed; the Chromium team itself rated this Low severity, consistent with the CVSS 4.2 score and high attack complexity.
Heap corruption in Google Chrome's Views UI framework on macOS (versions before 150.0.7871.47) lets a remote attacker who lures a victim to a crafted HTML page and coaxes them into specific UI gestures trigger a use-after-free, potentially achieving code execution in the renderer. Google rates the Chromium severity as Low, but the NVD CVSS is 8.8 (High), and no public exploit has been identified at time of analysis. EPSS is low at 0.21% (11th percentile), and the flaw is not in CISA KEV.
Use-after-free in Google Chrome's Ozone component on Linux prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and inducing specific UI gestures. Rated CVSS 8.8 with high confidentiality, integrity and availability impact, it is patched in the stable channel but requires user interaction (UI:R). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile), and Google classifies the Chromium severity as Medium.
Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. EPSS at 0.22% (13th percentile) indicates low near-term exploitation probability, and no active exploitation or public exploit code has been identified at time of analysis.
Cross-origin data leakage in Google Chrome's Network component (versions prior to 150.0.7871.47) enables a remote attacker who has already achieved renderer process compromise to bypass same-origin policy protections and exfiltrate sensitive cross-origin data via a crafted HTML page. This vulnerability functions as a second-stage exploit primitive within a chain - it does not enable initial access but extends the impact of an existing renderer compromise. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.21% (11th percentile) reflects low observed exploitation activity.
Cross-origin data leakage in Google Chrome's StorageAccessAPI (prior to 150.0.7871.47) enables a remote attacker who has already compromised the renderer process to read storage or cookie data belonging to other origins by delivering a crafted HTML page. This is a chained attack - the StorageAccessAPI policy bypass is the second stage of a multi-step compromise, not a standalone entry point. EPSS is very low (0.17%, 7th percentile), no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
UI spoofing in Google Chrome's WebXR subsystem (versions prior to 150.0.7871.47) is achievable by an attacker who has already compromised the renderer process, allowing manipulation of browser UI elements via a crafted HTML page. The vulnerability is a second-stage attack component, not a standalone entry point - exploitation chains through a separate renderer compromise before WebXR's insufficient input validation can be abused. EPSS at 0.17% (7th percentile) and no CISA KEV listing indicate minimal observed exploitation activity; patch is available as of Chrome 150.0.7871.47.
Cross-origin credential data leakage in Google Chrome's built-in Passwords feature (all versions prior to 150.0.7871.47) can be triggered remotely via a crafted HTML page requiring only user interaction. The flaw is rooted in an inappropriate implementation in Chrome's password management subsystem (CWE-522 - Insufficiently Protected Credentials), allowing a remote attacker to read data across origin boundaries that should be strictly isolated. No public exploit code is identified and EPSS stands at 0.17% (7th percentile), indicating limited exploitation pressure at time of analysis; however, Chrome's ubiquitous deployment makes the aggregate exposure significant.
Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.
Sandbox escape in Google Chrome's Navigation component before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated Medium by Chromium but carries a 9.6 CVSS due to the scope-changing sandbox breach; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis, indicating it is realistically a second-stage link in an exploit chain rather than a standalone remote-code path.
Cross-origin data leakage in Google Chrome's SVG implementation prior to version 150.0.7871.47 allows a remote attacker to read data from cross-origin resources by luring a victim to a crafted HTML page. The flaw exploits improper SVG handling that bypasses same-origin policy protections, exposing potentially sensitive session data or authenticated content from third-party origins. No active exploitation has been confirmed (not listed in CISA KEV), and EPSS stands at 0.17% (7th percentile), indicating low observed exploitation probability at time of analysis.
Cross-origin data exfiltration in Google Chrome's WebRTC subsystem on Windows allows remote attackers to leak sensitive data from other origins by directing victims to a specially crafted HTML page. All Chrome on Windows versions prior to 150.0.7871.47 are affected. No public exploit identified at time of analysis, and the EPSS score of 0.17% (7th percentile) signals low near-term exploitation probability despite the CVSS High confidentiality impact - consistent with Chromium's own 'Medium' severity designation and the inherent timing-sensitivity of race condition attacks.
UI spoofing in Google Chrome's Paint rendering component (versions prior to 150.0.7871.47) enables remote attackers to misrepresent browser interface elements through a specially crafted HTML page, with the victim's visit being the sole prerequisite. The CVSS vector confirms high integrity impact (I:H) with no confidentiality or availability exposure, consistent with CWE-451 misrepresentation of critical UI information rather than code execution. No public exploit has been identified and EPSS sits at the 7th percentile (0.17%), indicating very low near-term exploitation probability; a vendor patch is confirmed available in the Chrome stable channel.
UI spoofing in Google Chrome prior to version 150.0.7871.47 is caused by an inappropriate SVG rendering implementation, enabling remote attackers to visually misrepresent browser UI elements through a crafted HTML page. Exploitation requires user interaction - the victim must visit a malicious page - and the direct impact is limited to integrity via visual deception, with no confidentiality or availability consequence. No public exploit has been identified and the EPSS score of 0.17% (7th percentile) confirms minimal exploitation activity at time of analysis.
CSS side-channel information leakage in Google Chrome prior to 150.0.7871.47 enables a remote attacker to read potentially sensitive data from the browser's process memory by inducing a victim to visit a specially crafted HTML page. The vulnerability is classified under CWE-1300 (Improper Protection of Physical Side Channels), indicating that observable rendering or timing behavior in Chrome's CSS engine can be exploited to infer in-memory state. No public exploit identified at time of analysis; however, the CVSS-assessed confidentiality impact is rated High, and Google has released a fix in Chrome stable channel version 150.0.7871.47.
Out-of-bounds memory read in the SurfaceCapture component of Google Chrome before 150.0.7871.47 lets a remote attacker leak adjacent heap memory when a victim opens a crafted HTML page. Chromium rated the flaw Medium severity, though the associated CVSS is 8.1; there is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.17% (7th percentile), consistent with a browser bug fixed pre-disclosure. Successful exploitation could disclose sensitive in-process data or crash the renderer, and typically serves as one link in a larger sandbox-escape chain rather than standalone compromise.
Uninitialized memory use in Chrome's codec subsystem on Windows leaks process memory contents to remote attackers who can direct a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 on Windows are affected; exploitation requires no authentication but does require the victim to visit attacker-controlled content, placing this in the drive-by browsing threat category. No public exploit code has been identified at time of analysis, and Google has released a confirmed fix in stable channel 150.0.7871.47.
Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Uninitialized memory read in Google Chrome's WebXR subsystem on Android (versions prior to 150.0.7871.47) enables remote attackers to leak sensitive contents from process memory by inducing a victim to visit a crafted HTML page. The root cause is CWE-457 (use of an uninitialized variable) within the WebXR implementation, meaning memory buffers are consumed before being properly zeroed or assigned, exposing whatever residual data the process held. No public exploit or CISA KEV listing is identified at time of analysis, but the CVSS C:H rating reflects the potential for meaningful data exposure including in-memory credentials, tokens, or browsing context.
Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
UI spoofing in Google Chrome's Geolocation implementation allows an attacker who has already compromised the renderer process to present misleading geolocation-related interface elements to the user via a crafted HTML page. Affected versions are all Chrome releases prior to 150.0.7871.47. The integrity impact is rated High (CVSS I:H) because the spoofed UI can deceive users into granting or believing geolocation permissions under false pretenses; no public exploit or CISA KEV listing exists, and the 0.17% EPSS score (7th percentile) reflects low observed exploitation probability.
Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
UI spoofing via the File Input security indicator in Google Chrome on macOS allows a remote attacker to misrepresent security-critical interface elements when a user visits a crafted HTML page and performs specific UI gestures. Affected are all Chrome for Mac builds prior to 150.0.7871.47. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; combined with the high attack complexity and required user interaction, real-world exploitation at scale is unlikely without a targeted social engineering component.
UI spoofing in the Extensions component of Google Chrome on Android (prior to 150.0.7871.47) allows a remote attacker to misrepresent security UI elements by luring a victim into performing specific UI gestures on a crafted HTML page. The root cause (CWE-451) is incorrect rendering of security-critical extension UI, potentially misleading users about which extensions are active or what permissions they hold. No public exploit identified at time of analysis; the vendor has released a patch in the stable channel update.
Inappropriate implementation in Permissions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient validation of untrusted input in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Credential Management in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Domain spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.47) allows remote attackers to misrepresent the security origin displayed to a user, enabling phishing or social engineering attacks. Exploitation requires convincing the victim to perform specific UI gestures while visiting a crafted HTML page, placing this in a moderate-complexity social engineering category. No public exploit code has been identified at time of analysis, and the vendor has released a patch in Chrome 150.0.7871.47.
UI spoofing in Google Chrome on macOS prior to version 150.0.7871.47 allows a remote attacker to misrepresent browser UI elements by convincing a user to perform specific UI gestures on a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw can cause security-sensitive browser chrome - such as origin indicators or permission prompts - to display falsified content, potentially deceiving users into unsafe actions. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor has released a patch in the Chrome 150 stable channel.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
UI spoofing in Google Chrome for Windows (prior to 150.0.7871.47) is enabled by insufficient input validation in the DataTransfer subsystem when the renderer process has already been compromised. A remote attacker who controls a compromised renderer can deliver a crafted HTML page that manipulates visual UI elements, potentially deceiving users into approving malicious permissions, revealing credentials, or performing unintended actions. No active exploitation has been confirmed (not in CISA KEV), and EPSS of 0.17% at the 7th percentile reflects minimal observed exploitation probability; however, exploitation as a second-stage payload in a renderer RCE chain remains a realistic concern for high-value targets.
UI spoofing in Google Chrome's PageInfo component affects all desktop versions prior to 150.0.7871.47, enabling an attacker who has already compromised the renderer process to present deceptive browser security indicators to the user via a crafted HTML page. The vulnerability stems from an inappropriate implementation in the PageInfo subsystem (CWE-451), which controls the trusted security panel users consult to assess site authenticity. No active exploitation is confirmed - EPSS is 0.17% (7th percentile), SSVC rates exploitation as none, and this CVE is absent from the CISA KEV catalog - but the integrity impact is high where the attack chain is achievable.
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Incorrect security UI in Mobile in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
UI spoofing in Google Chrome's Media UI component on ChromeOS allows a remote attacker to manipulate what a user sees by delivering a crafted HTML page and social-engineering the victim into performing specific in-browser UI gestures. Affected versions are all Chrome on ChromeOS prior to 150.0.7871.47. While classified Medium severity (CVSS 4.2), the practical risk is constrained by the requirement for active user interaction and the ChromeOS-only scope; no public exploit code or CISA KEV listing has been identified at time of analysis.
UI spoofing via MediaCapture in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to misrepresent browser UI through a crafted HTML page, potentially deceiving users into granting permissions or trusting malicious content. This is a chained exploitation technique - it requires a prior renderer compromise as a prerequisite - making it a post-exploitation integrity threat rather than an initial access vector. EPSS is 0.21% (11th percentile), no public exploit or CISA KEV listing exists at time of analysis, and Google has patched this in the stable channel update.
UI spoofing in Google Chrome's TabStrip component, fixed in version 150.0.7871.47, enables remote attackers to misrepresent browser security indicators through specially crafted HTML pages. The incorrect security UI rendering in the tab strip allows an attacker to deceive users about the true origin or security state of a webpage, creating phishing-enablement risk. No public exploit code and an EPSS of 0.17% (7th percentile) indicate low exploitation likelihood at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to display falsified URL content to a victim user via a crafted HTML page. Exploitation requires convincing the target to perform specific UI gestures while visiting the malicious page, making this a phishing-enabler rather than a direct code-execution primitive. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; Google has released a fix in the 150.0.7871.47 stable channel update.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables a remote attacker to misrepresent page identity or security state through a specially crafted HTML page, exploiting an inappropriate implementation classified under CWE-451. The vulnerability affects only the iOS-specific Chrome codebase - not Chrome on other platforms - and requires user interaction (visiting an attacker-controlled page). No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; it is not listed in the CISA KEV catalog.
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Universal Cross-Site Scripting (UXSS) in Google Chrome's HTMLParser prior to 150.0.7871.47 enables remote attackers to inject arbitrary scripts or HTML into a victim's browser context by serving a crafted HTML page. The flaw is classified Medium severity by Google's Chromium security team and carries a CVSS 5.4 score, with EPSS at 0.17% (7th percentile) and no CISA KEV listing, indicating low current exploitation activity. A vendor-released patch exists in Chrome 150.0.7871.47; Chrome's auto-update mechanism substantially narrows the exposure window for most consumer endpoints.
Sandbox escape in Google Chrome prior to 150.0.7871.47 exploits a heap-based buffer overflow (CWE-122) in the Storage component, enabling an attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. This is a chained, second-stage vulnerability - renderer compromise through a separate flaw is a hard prerequisite, making standalone exploitation infeasible. EPSS sits at 0.21% (11th percentile), there is no CISA KEV listing, and no public exploit code has been identified at time of analysis; a vendor patch is confirmed available as Chrome 150.0.7871.47.
Out-of-bounds read in ANGLE, Chrome's cross-platform graphics abstraction engine, enables sensitive process memory disclosure on macOS for attackers who have already compromised the renderer process. Affected versions are Google Chrome prior to 150.0.7871.47 on Mac; Windows and Linux are not listed as affected. This flaw is a second-stage technique in a multi-vulnerability chain - not a standalone entry point - and no public exploit code or CISA KEV listing has been identified, placing real-world exploitation risk substantially below what the C:H confidentiality impact alone might imply.
Integer overflow in Safe Browsing in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Medium)
Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables attackers who have already achieved renderer process compromise to escape certain navigation-level security controls via a crafted HTML page. The flaw resides in the PageInfo component, which handles page metadata, security indicators, and related navigation policy enforcement, and fails to adequately validate attacker-controlled input passed from a compromised renderer. With an EPSS of 0.22% (13th percentile), no CISA KEV listing, and a Chromium-internal severity of Low, real-world exploitation risk is currently low despite the CVSS 6.5 medium rating.
Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Out-of-bounds read in Chrome's Chromecast component allows a local attacker to leak sensitive contents from the browser's process memory by delivering malicious network traffic to the affected subsystem. Affected versions are all Chrome releases prior to 150.0.7871.47 on desktop platforms. No public exploit code or CISA KEV listing is identified at time of analysis, and Google's own severity rating is Low, though the CVSS confidentiality impact is scored High due to potential direct process memory exposure.
Process memory disclosure in Google Chrome's Views UI framework on ChromeOS allows a crafted extension, once installed by a user, to read potentially sensitive data from Chrome's process memory. All ChromeOS Chrome versions prior to 150.0.7871.47 are affected; desktop Chrome on Windows, macOS, and Linux is not confirmed in scope. No public exploit has been identified at time of analysis, and Chromium's own internal severity rating is Low - tempering the NVD CVSS 5.9 score - indicating Google's security team assessed limited practical exploitability.
Process memory disclosure in Google Chrome's Dawn WebGPU component (versions prior to 150.0.7871.47) enables remote attackers to read potentially sensitive data from the browser's process memory by luring a victim to a crafted HTML page. The flaw is categorized under CWE-284 (Improper Access Control) within the Dawn graphics abstraction layer, which underpins Chrome's WebGPU implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and Google's own Chromium security team rates the severity as Low despite the NVD CVSS score of 6.5.
Local privilege escalation in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows before 150.0.7871.47 allows a local attacker who plants a malicious file to elevate privileges after the victim interacts with it. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a 7.8 CVSS but was rated Low severity by Chromium's own team. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.13%, 3rd percentile), consistent with a local, interaction-dependent issue rather than a mass-exploitable one.
Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the Related-Website-Sets feature, enabling a remote attacker to read sensitive cross-origin data by delivering a crafted HTML page to a victim. The CVSS 6.5 score with High confidentiality impact reflects meaningful exposure potential, though Google internally rated this as Low severity and EPSS sits at 0.17% (7th percentile), suggesting limited real-world exploitation risk. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor patch is available.
Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the browser's Parser component, allowing a remote unauthenticated attacker to circumvent CSP protections via a crafted HTML page. The attacker achieves limited integrity impact (I:L) - able to load or execute content that a properly enforced CSP would block - but gains no confidentiality or availability impact. EPSS is low at 0.22% (13th percentile), no active exploitation has been confirmed (not in CISA KEV), and Chromium internally rated this Low severity, making it a real but low-priority finding.
Same-origin policy bypass in Google Chrome's FedCM (Federated Credential Management) implementation allows remote attackers to perform limited cross-origin integrity manipulation by luring a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. With an EPSS of 0.18% (8th percentile), no CISA KEV listing, and no public exploit identified, this represents a low-probability exploitation scenario despite being trivially deliverable via a web page.
Sandbox escape in Google Chrome's Media component before version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to break out of the sandbox using a crafted video file. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a scope-changing CVSS 3.1 score of 9.6, though Google rated the underlying Chromium severity as Low and no public exploit has been identified at time of analysis. EPSS is low at 0.16% (6th percentile), and it is not listed in CISA KEV.
Sandbox escape in Google Chrome on Windows prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by feeding crafted input to the Device Trust component via a malicious HTML page. NVD scores this 9.6 (Critical) while Google rates the Chromium security severity as Low, and there is no public exploit identified at time of analysis. EPSS is very low at 0.17% (7th percentile), and it is not listed in CISA KEV.
Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-layer policy enforcement by inducing a user to visit a specially crafted HTML page. Rooted in CWE-602 (client-side enforcement of server-side security), the flaw means Chrome's network policy checks governing navigation can be subverted client-side, yielding a low-integrity impact with no confidentiality or availability consequence. No public exploit has been identified and the EPSS exploitation probability stands at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating - this is a low-urgency but genuine policy-enforcement gap.
Cross-origin data leakage in Google Chrome's Extensions subsystem (versions prior to 150.0.7871.47) enables a remote attacker - who has first achieved renderer process compromise - to bypass same-origin policy enforcement and read cross-origin data via a specially crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error) and rated Low severity by the Chromium security team. EPSS is extremely low at 0.17% (7th percentile), no CISA KEV listing exists, and no public exploit code has been identified, consistent with the significant chained exploitation barrier imposed by the renderer-compromise prerequisite.
FileSystem policy enforcement bypass in Google Chrome prior to version 150.0.7871.47 allows a remote attacker to circumvent discretionary access control via a crafted HTML page, resulting in limited unauthorized write operations within the browser's sandboxed filesystem scope. The vulnerability requires user interaction - the victim must navigate to a malicious page - and produces only an integrity impact (I:L) with no confidentiality or availability consequence. With an EPSS of 0.18% (8th percentile) and no CISA KEV listing, real-world exploitation probability is very low; no public exploit has been identified at time of analysis.
Uninitialized memory exposure in Google Chrome's GamepadAPI allows an attacker who has already achieved renderer process compromise to read potentially sensitive contents from process memory by serving a crafted HTML page that triggers the flaw. Affected versions are all Chrome releases prior to 150.0.7871.47. While the CVSS base score is 6.5 with high confidentiality impact, Chromium's own severity rating is Low, reflecting the significant prerequisite of prior renderer compromise that dramatically constrains real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis, and a vendor patch is available.
Cross-origin data leakage in Google Chrome's Passwords component prior to version 150.0.7871.47 enables remote attackers to exfiltrate credential-related or other sensitive cross-origin data by directing victims to a crafted HTML page. The root cause (CWE-693, Protection Mechanism Failure) represents a breakdown in the policy enforcement layer governing cross-origin access in the Passwords subsystem - a bypass of the isolation guarantees Chrome's same-origin model is meant to provide. No public exploit has been identified at time of analysis; EPSS of 0.17% (7th percentile) and the absence of a CISA KEV listing place real-world exploitation probability very low, and Chromium's own team rated the severity as Low despite the NVD CVSS 6.5 Medium score.
Memory disclosure in Google Chrome's GPU component (prior to 150.0.7871.47) allows an attacker who has already achieved renderer process compromise to extract potentially sensitive information from process memory via a crafted HTML page. The attack requires both user interaction and a pre-existing renderer compromise, making this a second-stage vulnerability most useful for ASLR bypass or credential harvesting within an exploit chain. No public exploit code or active exploitation (CISA KEV) has been identified; Google rates this as Low severity internally despite the NVD CVSS 5.3 Medium score.
Use-after-free in Chrome's Chromecast component exposes process memory to attackers on the same local network segment via a malicious peripheral, affecting all Chrome versions prior to 150.0.7871.47. The vulnerability carries a CVSS 3.1 score of 6.5 with high confidentiality impact (C:H), meaning successful exploitation leaks potentially sensitive data from the Chrome process heap. No public exploit or CISA KEV listing is identified at time of analysis, and Google has released a patch in the stable channel.
Content Security Policy bypass in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 allows an attacker who socially engineers a victim into installing a crafted malicious extension to circumvent CSP protections, yielding limited integrity impact. CVSS UI:R and EPSS at 0.12% (2nd percentile) confirm this is a low-probability, user-interaction-dependent attack with no confidentiality or availability consequence. No KEV listing, no known POC, and Google's own 'Low' severity rating collectively position this as a low operational priority despite broad product prevalence.
Same-origin policy bypass in Google Chrome's CustomTabs component on Android (versions prior to 150.0.7871.47) permits remote attackers to perform limited cross-origin integrity violations by directing a victim to a crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error), meaning Chrome's CustomTabs implementation incorrectly validates or enforces origin boundaries when rendering attacker-controlled content. No active exploitation has been confirmed (not in CISA KEV) and the EPSS score of 0.18% (8th percentile) reflects very low observed exploitation probability, consistent with the Low severity rating assigned by the Chromium security team.
Cross-origin data leakage in Google Chrome's Network component (versions prior to 150.0.7871.47) enables a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data via a specially crafted HTML page. This is a chained vulnerability - renderer-process compromise is a hard prerequisite, meaning real-world risk is substantially lower than the network-accessible CVSS vector implies. No public exploit code has been identified and EPSS sits at the 7th percentile (0.17%), consistent with limited exploitation interest. Google has released a fix in the stable channel update to 150.0.7871.47.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) and is second-stage: it is not directly exploitable from the open web without a prior renderer compromise. No public exploit has been identified at time of analysis, and its EPSS exploitation probability is low (0.17%, 7th percentile); notably, Google rated the Chromium security severity as Low despite the NVD CVSS of 9.6.
Sandbox escape in Google Chrome's GetUserMedia (media capture) implementation before version 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own security team; despite an NVD CVSS of 9.6, Chromium rates its severity Low, and there is no public exploit identified at time of analysis with an EPSS of only 0.17% (7th percentile).
Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Serial (Web Serial API) component, allowing a remote attacker who lures a victim to a crafted HTML page to escalate privileges within the browser. Note the signal conflict: NVD scores this 8.8 (High) with high confidentiality/integrity/availability impact, yet Chromium's own triage rates the security severity as Low. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS is very low at 0.17% (7th percentile).
Heap corruption in Google Chrome's BrowserTag component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by a crafted Chrome extension. An attacker who convinces a victim to install a malicious extension can potentially exploit the freed-memory condition to corrupt the heap and execute code. No public exploit identified at time of analysis, and EPSS is low (0.12%, 2nd percentile), consistent with the Chromium team's own 'Low' severity rating despite the NVD CVSS of 8.8.
Same-origin policy bypass in Google Chrome's GetUserMedia implementation prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to achieve limited cross-origin integrity impact by delivering a crafted HTML page to a victim. Chromium's own severity classification is Low, consistent with the CVSS 4.3 score and an EPSS exploitation probability of just 0.18% (8th percentile). No public exploit code and no active exploitation have been identified at time of analysis; Google has issued a remediated build in Chrome 150.0.7871.47.
Sandbox escape in Google Chrome's New Tab Page prior to 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) and requires a pre-existing renderer foothold, making it a second-stage exploit rather than an initial-access vector. Google rated the Chromium severity as Low; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile).
Sandbox escape in Google Chrome's GPU process before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page. The flaw is a protection-mechanism failure (CWE-693) that Google patched in the June 2026 Stable channel update; Chromium rated its intrinsic severity Low because it is only useful as the second link in an exploit chain, and no public exploit has been identified at time of analysis. EPSS probability is low (0.17%, 7th percentile), consistent with a chained bug rather than a mass-exploitable entry point.
Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Bluetooth subsystem, letting a remote attacker who lures a victim to a crafted HTML page cross a security boundary the browser is supposed to guard. Google's Chrome release channel and the NVD-assigned CVSS 3.1 base score of 8.8 (High) diverge from Chromium's own internal 'Low' severity rating, signaling the practical impact is likely narrower than the raw score implies. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.17% (7th percentile), consistent with no active exploitation reported.
Insufficient Bluetooth policy enforcement in Google Chrome prior to 150.0.7871.47 allows remote attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 Medium at NVD, though Chromium's own severity rating is 'Low,' suggesting Chrome's sandbox architecture limits practical memory exposure. No public exploit code or active exploitation has been identified at time of analysis.
WebXR implementation flaw in Google Chrome on Android prior to 150.0.7871.47 permits remote attackers to bypass navigation restrictions by delivering a crafted HTML page to a victim. The vulnerability is Android-specific and requires user interaction to trigger, constraining its reach. With no CISA KEV listing, no public exploit identified at time of analysis, and an EPSS of 0.18% (8th percentile), this represents a low-priority integrity issue that Google itself rates as Low severity.
Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.
Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)
Inappropriate implementation in File Input in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Omnibox (URL bar) spoofing in Google Chrome on Linux prior to 150.0.7871.47 is possible through an inappropriate SplitView implementation, allowing remote attackers to display false URLs to victims who are tricked into performing specific UI gestures on a crafted HTML page. This CWE-451 class flaw undermines browser trust indicators and enables phishing scenarios, though exploitation is constrained by high attack complexity and mandatory user interaction. No public exploit code or active exploitation has been identified; a vendor patch is available in the stable channel release.
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to misrepresent security indicators to users who are socially engineered into performing specific UI gestures on a crafted HTML page. The root cause is incorrect rendering of security UI elements (CWE-451), classified by the Chromium team as Low severity. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog, aligning with the modest CVSS 4.2 score and the high-complexity attack requirements.
Use-after-free in Google Chrome's SignIn component (versions prior to 150.0.7871.47) allows a remote attacker to trigger heap corruption and potentially achieve code execution after luring a victim to a crafted HTML page and performing specific UI gestures. No public exploit was identified at time of analysis, and with an EPSS of 0.17% (7th percentile) and Chromium-rated 'Low' severity, near-term mass exploitation appears unlikely despite the high 8.8 CVSS. The flaw is patched in the current stable channel and is not listed in CISA KEV.
UI spoofing via incorrect security rendering in Chrome's SplitView component allows a remote attacker to misrepresent security-critical UI elements to a victim running any Chrome version prior to 150.0.7871.47. The attacker must serve a crafted HTML page and successfully induce the victim into performing specific UI gestures, after which SplitView renders misleading security indicators - enabling phishing-class deception within a trusted browser context. No public exploit code exists and no active exploitation has been confirmed; the Chromium team itself rated this Low severity, consistent with the CVSS 4.2 score and high attack complexity.
Heap corruption in Google Chrome's Views UI framework on macOS (versions before 150.0.7871.47) lets a remote attacker who lures a victim to a crafted HTML page and coaxes them into specific UI gestures trigger a use-after-free, potentially achieving code execution in the renderer. Google rates the Chromium severity as Low, but the NVD CVSS is 8.8 (High), and no public exploit has been identified at time of analysis. EPSS is low at 0.21% (11th percentile), and the flaw is not in CISA KEV.
Use-after-free in Google Chrome's Ozone component on Linux prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and inducing specific UI gestures. Rated CVSS 8.8 with high confidentiality, integrity and availability impact, it is patched in the stable channel but requires user interaction (UI:R). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile), and Google classifies the Chromium severity as Medium.
Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. EPSS at 0.22% (13th percentile) indicates low near-term exploitation probability, and no active exploitation or public exploit code has been identified at time of analysis.
Cross-origin data leakage in Google Chrome's Network component (versions prior to 150.0.7871.47) enables a remote attacker who has already achieved renderer process compromise to bypass same-origin policy protections and exfiltrate sensitive cross-origin data via a crafted HTML page. This vulnerability functions as a second-stage exploit primitive within a chain - it does not enable initial access but extends the impact of an existing renderer compromise. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.21% (11th percentile) reflects low observed exploitation activity.
Cross-origin data leakage in Google Chrome's StorageAccessAPI (prior to 150.0.7871.47) enables a remote attacker who has already compromised the renderer process to read storage or cookie data belonging to other origins by delivering a crafted HTML page. This is a chained attack - the StorageAccessAPI policy bypass is the second stage of a multi-step compromise, not a standalone entry point. EPSS is very low (0.17%, 7th percentile), no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
UI spoofing in Google Chrome's WebXR subsystem (versions prior to 150.0.7871.47) is achievable by an attacker who has already compromised the renderer process, allowing manipulation of browser UI elements via a crafted HTML page. The vulnerability is a second-stage attack component, not a standalone entry point - exploitation chains through a separate renderer compromise before WebXR's insufficient input validation can be abused. EPSS at 0.17% (7th percentile) and no CISA KEV listing indicate minimal observed exploitation activity; patch is available as of Chrome 150.0.7871.47.
Cross-origin credential data leakage in Google Chrome's built-in Passwords feature (all versions prior to 150.0.7871.47) can be triggered remotely via a crafted HTML page requiring only user interaction. The flaw is rooted in an inappropriate implementation in Chrome's password management subsystem (CWE-522 - Insufficiently Protected Credentials), allowing a remote attacker to read data across origin boundaries that should be strictly isolated. No public exploit code is identified and EPSS stands at 0.17% (7th percentile), indicating limited exploitation pressure at time of analysis; however, Chrome's ubiquitous deployment makes the aggregate exposure significant.
Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.
Sandbox escape in Google Chrome's Navigation component before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated Medium by Chromium but carries a 9.6 CVSS due to the scope-changing sandbox breach; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis, indicating it is realistically a second-stage link in an exploit chain rather than a standalone remote-code path.
Cross-origin data leakage in Google Chrome's SVG implementation prior to version 150.0.7871.47 allows a remote attacker to read data from cross-origin resources by luring a victim to a crafted HTML page. The flaw exploits improper SVG handling that bypasses same-origin policy protections, exposing potentially sensitive session data or authenticated content from third-party origins. No active exploitation has been confirmed (not listed in CISA KEV), and EPSS stands at 0.17% (7th percentile), indicating low observed exploitation probability at time of analysis.
Cross-origin data exfiltration in Google Chrome's WebRTC subsystem on Windows allows remote attackers to leak sensitive data from other origins by directing victims to a specially crafted HTML page. All Chrome on Windows versions prior to 150.0.7871.47 are affected. No public exploit identified at time of analysis, and the EPSS score of 0.17% (7th percentile) signals low near-term exploitation probability despite the CVSS High confidentiality impact - consistent with Chromium's own 'Medium' severity designation and the inherent timing-sensitivity of race condition attacks.
UI spoofing in Google Chrome's Paint rendering component (versions prior to 150.0.7871.47) enables remote attackers to misrepresent browser interface elements through a specially crafted HTML page, with the victim's visit being the sole prerequisite. The CVSS vector confirms high integrity impact (I:H) with no confidentiality or availability exposure, consistent with CWE-451 misrepresentation of critical UI information rather than code execution. No public exploit has been identified and EPSS sits at the 7th percentile (0.17%), indicating very low near-term exploitation probability; a vendor patch is confirmed available in the Chrome stable channel.
UI spoofing in Google Chrome prior to version 150.0.7871.47 is caused by an inappropriate SVG rendering implementation, enabling remote attackers to visually misrepresent browser UI elements through a crafted HTML page. Exploitation requires user interaction - the victim must visit a malicious page - and the direct impact is limited to integrity via visual deception, with no confidentiality or availability consequence. No public exploit has been identified and the EPSS score of 0.17% (7th percentile) confirms minimal exploitation activity at time of analysis.
CSS side-channel information leakage in Google Chrome prior to 150.0.7871.47 enables a remote attacker to read potentially sensitive data from the browser's process memory by inducing a victim to visit a specially crafted HTML page. The vulnerability is classified under CWE-1300 (Improper Protection of Physical Side Channels), indicating that observable rendering or timing behavior in Chrome's CSS engine can be exploited to infer in-memory state. No public exploit identified at time of analysis; however, the CVSS-assessed confidentiality impact is rated High, and Google has released a fix in Chrome stable channel version 150.0.7871.47.
Out-of-bounds memory read in the SurfaceCapture component of Google Chrome before 150.0.7871.47 lets a remote attacker leak adjacent heap memory when a victim opens a crafted HTML page. Chromium rated the flaw Medium severity, though the associated CVSS is 8.1; there is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.17% (7th percentile), consistent with a browser bug fixed pre-disclosure. Successful exploitation could disclose sensitive in-process data or crash the renderer, and typically serves as one link in a larger sandbox-escape chain rather than standalone compromise.
Uninitialized memory use in Chrome's codec subsystem on Windows leaks process memory contents to remote attackers who can direct a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 on Windows are affected; exploitation requires no authentication but does require the victim to visit attacker-controlled content, placing this in the drive-by browsing threat category. No public exploit code has been identified at time of analysis, and Google has released a confirmed fix in stable channel 150.0.7871.47.
Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Uninitialized memory read in Google Chrome's WebXR subsystem on Android (versions prior to 150.0.7871.47) enables remote attackers to leak sensitive contents from process memory by inducing a victim to visit a crafted HTML page. The root cause is CWE-457 (use of an uninitialized variable) within the WebXR implementation, meaning memory buffers are consumed before being properly zeroed or assigned, exposing whatever residual data the process held. No public exploit or CISA KEV listing is identified at time of analysis, but the CVSS C:H rating reflects the potential for meaningful data exposure including in-memory credentials, tokens, or browsing context.
Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
UI spoofing in Google Chrome's Geolocation implementation allows an attacker who has already compromised the renderer process to present misleading geolocation-related interface elements to the user via a crafted HTML page. Affected versions are all Chrome releases prior to 150.0.7871.47. The integrity impact is rated High (CVSS I:H) because the spoofed UI can deceive users into granting or believing geolocation permissions under false pretenses; no public exploit or CISA KEV listing exists, and the 0.17% EPSS score (7th percentile) reflects low observed exploitation probability.
Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
UI spoofing via the File Input security indicator in Google Chrome on macOS allows a remote attacker to misrepresent security-critical interface elements when a user visits a crafted HTML page and performs specific UI gestures. Affected are all Chrome for Mac builds prior to 150.0.7871.47. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; combined with the high attack complexity and required user interaction, real-world exploitation at scale is unlikely without a targeted social engineering component.
UI spoofing in the Extensions component of Google Chrome on Android (prior to 150.0.7871.47) allows a remote attacker to misrepresent security UI elements by luring a victim into performing specific UI gestures on a crafted HTML page. The root cause (CWE-451) is incorrect rendering of security-critical extension UI, potentially misleading users about which extensions are active or what permissions they hold. No public exploit identified at time of analysis; the vendor has released a patch in the stable channel update.
Inappropriate implementation in Permissions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient validation of untrusted input in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Credential Management in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Domain spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.47) allows remote attackers to misrepresent the security origin displayed to a user, enabling phishing or social engineering attacks. Exploitation requires convincing the victim to perform specific UI gestures while visiting a crafted HTML page, placing this in a moderate-complexity social engineering category. No public exploit code has been identified at time of analysis, and the vendor has released a patch in Chrome 150.0.7871.47.
UI spoofing in Google Chrome on macOS prior to version 150.0.7871.47 allows a remote attacker to misrepresent browser UI elements by convincing a user to perform specific UI gestures on a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw can cause security-sensitive browser chrome - such as origin indicators or permission prompts - to display falsified content, potentially deceiving users into unsafe actions. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor has released a patch in the Chrome 150 stable channel.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
UI spoofing in Google Chrome for Windows (prior to 150.0.7871.47) is enabled by insufficient input validation in the DataTransfer subsystem when the renderer process has already been compromised. A remote attacker who controls a compromised renderer can deliver a crafted HTML page that manipulates visual UI elements, potentially deceiving users into approving malicious permissions, revealing credentials, or performing unintended actions. No active exploitation has been confirmed (not in CISA KEV), and EPSS of 0.17% at the 7th percentile reflects minimal observed exploitation probability; however, exploitation as a second-stage payload in a renderer RCE chain remains a realistic concern for high-value targets.
UI spoofing in Google Chrome's PageInfo component affects all desktop versions prior to 150.0.7871.47, enabling an attacker who has already compromised the renderer process to present deceptive browser security indicators to the user via a crafted HTML page. The vulnerability stems from an inappropriate implementation in the PageInfo subsystem (CWE-451), which controls the trusted security panel users consult to assess site authenticity. No active exploitation is confirmed - EPSS is 0.17% (7th percentile), SSVC rates exploitation as none, and this CVE is absent from the CISA KEV catalog - but the integrity impact is high where the attack chain is achievable.
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Incorrect security UI in Mobile in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
UI spoofing in Google Chrome's Media UI component on ChromeOS allows a remote attacker to manipulate what a user sees by delivering a crafted HTML page and social-engineering the victim into performing specific in-browser UI gestures. Affected versions are all Chrome on ChromeOS prior to 150.0.7871.47. While classified Medium severity (CVSS 4.2), the practical risk is constrained by the requirement for active user interaction and the ChromeOS-only scope; no public exploit code or CISA KEV listing has been identified at time of analysis.
UI spoofing via MediaCapture in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to misrepresent browser UI through a crafted HTML page, potentially deceiving users into granting permissions or trusting malicious content. This is a chained exploitation technique - it requires a prior renderer compromise as a prerequisite - making it a post-exploitation integrity threat rather than an initial access vector. EPSS is 0.21% (11th percentile), no public exploit or CISA KEV listing exists at time of analysis, and Google has patched this in the stable channel update.
UI spoofing in Google Chrome's TabStrip component, fixed in version 150.0.7871.47, enables remote attackers to misrepresent browser security indicators through specially crafted HTML pages. The incorrect security UI rendering in the tab strip allows an attacker to deceive users about the true origin or security state of a webpage, creating phishing-enablement risk. No public exploit code and an EPSS of 0.17% (7th percentile) indicate low exploitation likelihood at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to display falsified URL content to a victim user via a crafted HTML page. Exploitation requires convincing the target to perform specific UI gestures while visiting the malicious page, making this a phishing-enabler rather than a direct code-execution primitive. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; Google has released a fix in the 150.0.7871.47 stable channel update.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables a remote attacker to misrepresent page identity or security state through a specially crafted HTML page, exploiting an inappropriate implementation classified under CWE-451. The vulnerability affects only the iOS-specific Chrome codebase - not Chrome on other platforms - and requires user interaction (visiting an attacker-controlled page). No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; it is not listed in the CISA KEV catalog.
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Universal Cross-Site Scripting (UXSS) in Google Chrome's HTMLParser prior to 150.0.7871.47 enables remote attackers to inject arbitrary scripts or HTML into a victim's browser context by serving a crafted HTML page. The flaw is classified Medium severity by Google's Chromium security team and carries a CVSS 5.4 score, with EPSS at 0.17% (7th percentile) and no CISA KEV listing, indicating low current exploitation activity. A vendor-released patch exists in Chrome 150.0.7871.47; Chrome's auto-update mechanism substantially narrows the exposure window for most consumer endpoints.
Sandbox escape in Google Chrome prior to 150.0.7871.47 exploits a heap-based buffer overflow (CWE-122) in the Storage component, enabling an attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. This is a chained, second-stage vulnerability - renderer compromise through a separate flaw is a hard prerequisite, making standalone exploitation infeasible. EPSS sits at 0.21% (11th percentile), there is no CISA KEV listing, and no public exploit code has been identified at time of analysis; a vendor patch is confirmed available as Chrome 150.0.7871.47.
Out-of-bounds read in ANGLE, Chrome's cross-platform graphics abstraction engine, enables sensitive process memory disclosure on macOS for attackers who have already compromised the renderer process. Affected versions are Google Chrome prior to 150.0.7871.47 on Mac; Windows and Linux are not listed as affected. This flaw is a second-stage technique in a multi-vulnerability chain - not a standalone entry point - and no public exploit code or CISA KEV listing has been identified, placing real-world exploitation risk substantially below what the C:H confidentiality impact alone might imply.
Integer overflow in Safe Browsing in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Medium)