Use-after-free sandbox escape in Google Chrome WebMIDI on Windows

Successful exploitation could allow an attacker who already has code execution or equivalent compromise within the Chrome renderer process to escape the browser sandbox on Windows. This would let the attacker elevate the impact of an initial renderer compromise and potentially achieve arbitrary code execution outside sandbox restrictions, increasing the risk of broader system compromise. The broader Chromium advisory context also notes that Chrome vulnerabilities in this release could result in arbitrary code execution, denial of service, or information disclosure, but for this specific CVE the explicit impact provided is sandbox escape.

No specific workaround or temporary mitigation was provided in the supplied content. The practical mitigation is to reduce exposure until patching by limiting use of affected Chrome/Chromium builds on Windows, especially in high-risk browsing contexts, and prioritizing rapid browser update deployment. Because the vulnerability requires prior renderer compromise, reducing exposure to untrusted web content and enforcing standard browser hardening and application control may lower risk, but patching is the primary mitigation.

Upgrade Google Chrome on Windows to version 149.0.7827.115 or later. For Chromium on Debian, apply the vendor security update and upgrade to a fixed package version such as 149.0.7827.114-1~deb12u1 on Debian oldstable (bookworm) or 149.0.7827.114-1~deb13u1 on Debian stable (trixie), as provided in the advisory context. More generally, deploy the Chrome 149 security update across affected systems promptly.