Chromoting, the remote‑desktop component built into Google Chrome for macOS, contains a use‑after‑free flaw that allows a remote attacker to execute arbitrary code by sending specially crafted network traffic to a Chrome instance running with the Chromoting component enabled. The vulnerability is triggered when the component processes malformed data, leading to a use‑after‑free condition (CWE‑416) and memory corruption (CWE‑825). Based on the description, it is inferred that an attacker must send malicious packets over the network to the Chrome instance in order to abuse the flaw; successful exploitation enables the attacker to run code with the privileges of the user running Chrome, thereby compromising confidentiality, integrity and availability.

Any macOS computer with a Google Chrome installation prior to version 149.0.7827.53 that has the Chromoting component active is affected. Versions 149.0.7827.53 and later contain the fix. The vulnerability is exercised when the Chrome Remote Desktop feature is enabled.

The CVSS score of 8.1 classifies the issue as high severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the current landscape. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves delivering malicious network traffic to the Chrome instance with the Chromoting component active; if exploited, an attacker could achieve arbitrary code execution with the privileges of the local user. Because the flaw arises in a network‑driven component, exploitation likely requires network access to the host and an active Chrome session with the remote‑desktop functionality enabled.