An out‑of‑bounds read in the ANGLE graphics stack of Google Chrome, found in versions prior to 149.0.7827.53, allows a remote attacker who has already compromised the renderer process to read memory beyond allocated bounds. The vulnerability is a classic example of CWE‑125, where improper bounds checking can lead to information leakage and, in this case, the ability to escape the renderer sandbox. If successful, the attacker could gain higher privileges, execute arbitrary code, or otherwise compromise the integrity of the host system.

Google Chrome browsers on desktop platforms, any version earlier than 149.0.7827.53, are affected. This includes the stable release channel and any installations that have not yet applied the 149.0.7827.53 patch or any later security updates that re‑implement the ANGLE component safely.

Because the CVE carries a CVSS score of 8.3, the risk is high for environments where untrusted web content is rendered. An attacker would need to deliver a crafted HTML page that is parsed by a renderer process that is already compromised. No EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog, so the public likelihood of exploitation is uncertain but could be significant if attackers target browsers in high‑profile or enterprise settings. Organizations should treat this as a high‑risk flaw that could be leveraged to break out of the browser sandbox.