The CVE documents a type confusion flaw in V8, the JavaScript engine that powers Google Chrome, which allows a remote attacker to launch arbitrary code execution inside the browser’s sandbox via a crafted HTML page. The vulnerability originates from incorrect handling of type casting operations, enabling the attacker to trigger undefined behavior that the engine cannot safely detect. Successful exploitation could compromise the confidentiality, integrity, or availability of the affected system and could be leveraged for further escalated attacks beyond the browser sandbox. This condition reflects CWE-843: Type Confusion.

Google Chrome browsers with versions older than 149.0.7827.53 on any supported platform are affected. Any user who visits a malicious site that delivers specially constructed HTML content can expose the browser to this flaw until the browser is updated.

The vulnerability has a CVSS score of 8.8, indicating high severity. No commercial exploit is currently documented and the EPSS score is unavailable, indicating limited exploitation activity. The flaw is not listed in the CISA KEV catalog. An attacker can exploit it remotely by hosting or serving a malicious HTML page; the attack would execute code with the privileges of the sandboxed renderer process. While the exploit is theoretically feasible, the lack of existing exploit code and absence from major exploitation feeds reduce the immediate risk, but the potential for future exploitation remains significant.