A flaw in the Skia graphics library used by Google Chrome allows a maliciously crafted HTML page to trigger an out‑of‑bounds memory access. When the browser processes such a page, the violation permits execution of arbitrary code inside the Chrome renderer sandbox. The vulnerability is classified as a high‑severity flaw, and the associated weaknesses are out‑of‑bounds memory read (CWE‑125) and buffer overflow (CWE‑787), indicating that an attacker could read or write beyond allocated memory, compromising data integrity and confidentiality.

Any installation of Google Chrome older than version 149.0.7827.53 is vulnerable. This includes the stable desktop releases for Windows, macOS, and Linux that ship with the standard Chrome distribution. A web page hosted on an otherwise clean site can serve the malformed content to trigger the exploit, so a single browser visit is sufficient to initiate the attack.

The CVSS score of 8.8 indicates a high severity flaw, while the EPSS score is not available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is a web‑based one: a remote attacker delivers a crafted HTML page to a victim’s Chrome browser. The condition required for exploitation is that the victim visits the malicious page with the vulnerable Skia component active. The outcome is arbitrary code execution within the renderer process, which is sandboxed but could be leveraged to escape the sandbox if additional weaknesses are present.