The vulnerability originates from an insecure GPU implementation in Google Chrome prior to version 149.0.7827.53. It permits a sandbox escape when a crafted HTML page is rendered, enabling code to run with higher privileges than the browser sandbox normally allows. This flaw allows an attacker to execute arbitrary code on the victim’s system, potentially compromising confidentiality, integrity, and availability of the user’s data and processes.

Google Chrome browsers running any version earlier than 149.0.7827.53 on any operating system are affected. The issue is present on all desktop platforms where GPU acceleration is enabled.

Chromium assigns this flaw a Critical severity rating, indicating that it could lead to full system compromise if successfully exploited. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog, but the lack of an exploit probability figure does not diminish the high risk associated with the flaw. The most probable attack vector is a remote user visiting a malicious web page or an attacker-controlled network segment that serves such a page. When the affected Chrome instance processes the crafted content, the GPU implementation flaw can be leveraged to escape the sandbox, giving the attacker control over the user’s system.