A race condition exists in the WebAudio implementation of Google Chrome before version 148.0.7778.216. The flaw allows a malicious web page to trigger concurrent operations that lead to arbitrary code execution inside the browser’s sandboxed process. It is classified as a concurrency control weakness (CWE‑362) and generally requires the attacker to interleave interactions in a specific order, which is why this is a higher‑level security issue than a typical input validation bug. As the code runs with the privileges of the browser process, a successful exploitation could allow information leakage or the launch of further attacks if the sandbox can be broken.

The vulnerability affects all installations of Google Chrome that are not updated beyond version 148.0.7778.216. It applies to the stable channel releases on all supported operating systems. Users who remain on older builds of Chrome are at risk, regardless of the device or OS they use, unless they have mitigated other conditions that are not specified.

The likely attack vector is serving a crafted HTML page that triggers the race condition in a victim’s browser (inferred from the description). The CVSS score is 7.5, indicating high severity. The EPSS score is less than 1%, implying low current exploitation probability, but the existence of a simple exploit path suggests that opportunistic attackers could deploy it when they are ready. The vulnerability is not listed in the CISA KEV catalog, which means no confirmed exploitation in the wild has been reported, yet the concurrency flaw could still be leveraged by attackers with the appropriate web skills.