The vulnerability is a use‑after‑free flaw in the SVG rendering engine of Google Chrome, which allows a remote attacker to execute arbitrary code within the browser’s sandbox when a user opens a specially crafted HTML page. The flaw arises from improper memory handling during SVG parsing, enabling an attacker to trigger the use‑after‑free condition. In practice, an attacker could load malicious content in a browser session and cause the sandboxed process to execute attacker‑supplied code. This risk is classified as high due to the remote nature of the attack and the potential impact on system security.

Google Chrome browsers running any version prior to 148.0.7778.216 are affected. The issue exists across all supported platforms—including Windows, macOS, Linux, and Chrome OS—whenever the SVG engine is active and the user navigates to or renders a malicious HTML document containing exploitable SVG content.

The vulnerability can be exploited remotely by an attacker who convinces a user to visit a malicious web page. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, but its CVSS score of 8.8 and remote execution potential warrant significant concern. Exploitation requires no special network privileges beyond normal browser access, and success would be confined to the sandboxed process. The attackers rely on crafted SVG within an HTML page and the victim’s interaction with that page, making social engineering a likely component of an attack chain.