A heap buffer overflow in the Media component of Google Chrome, affecting versions prior to 149.0.7827.53, allows a remote attacker who persuades a user to perform specific UI gestures to trigger a crafted HTML page that can execute arbitrary code inside a sandbox. The flaw involves both a buffer overrun (CWE‑122) and a buffer copy without checking size (CWE‑120), causing the overflow and enabling the execution of code with sandboxed privileges, potentially leading to further exploitation.

All users running Google Chrome Stable on desktop platforms below version 149.0.7827.53 are susceptible. This includes Chrome on Windows, macOS, and Linux operating systems. Version information is limited to the major release number; users should verify they are below the patched release 149.0.7827.53.

The CVSS score is 7.5, which is considered High, reflecting a high likelihood of exploitation once the user engages with the malicious content. EPSS data indicates a probability of exploitation lower than 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating no known mass exploitation yet. Vulnerability exploitation requires a user to interact with a crafted HTML page, typically by visiting a malicious website or following a social‑engineering cue that initiates the required UI gestures. Once triggered, the overflow can lead to arbitrary code execution within the sandboxed context.