UXSS in Google Chrome Serial

Successful exploitation allows arbitrary script or HTML injection in the browser context through UXSS. This can enable bypass of normal origin-based browser security boundaries, execution of attacker-controlled JavaScript in unintended contexts, access to sensitive web application data available to the compromised context, session theft, user impersonation within affected sites, and use of the browser as a pivot for further client-side attacks. The broader mention contexts also note that Chrome/Chromium vulnerability sets of this release may contribute to security restriction bypass and sensitive information disclosure.

No specific workaround or temporary mitigation is provided in the supplied advisories beyond updating. As interim risk reduction, organizations can reduce exposure by limiting use of untrusted websites, enforcing browser isolation or remote browsing for high-risk users, restricting access to sensitive internal web applications from unmanaged browsing contexts, and monitoring for outdated Chromium-based browser versions until patch deployment is complete.

Upgrade Google Chrome to version 149.0.7827.155 or later. For Microsoft Edge (Chromium-based), upgrade to version 149.0.4022.80 or later, which incorporates the upstream Chromium fix. For Debian Chromium packages, upgrade to 149.0.7827.155-1~deb13u1 on Debian stable (trixie) or 149.0.7827.155-1~deb12u1 on Debian oldstable (bookworm). Apply the vendor-provided patched browser builds across all affected endpoints.