Use-After-Use defects in memory management can generate heap corruption when a freed resource is accessed again. In Chrome for iOS, the Autofill module can be triggered by a carefully crafted web page that causes a UI gesture to access a previously released structure. This pattern can corrupt the heap and may enable an attacker to execute arbitrary code if the corrupted memory alters control flow. The vulnerability is catalogued as CWE-416, indicating that free operations are performed on still-referenced memory.

The flaw is present in all releases of Chrome for iOS older than 149.0.7827.53. No device-model exclusions were specified, so all iOS devices running the affected browser version are susceptible. The update mentioned in the references introduces the necessary fix; until that version is installed the vulnerability remains active.

The issue carries a CVSS score of 8.8, indicating a high severity, suggesting a serious consequence. The EPSS score is less than 1%, indicating a low likelihood of exploitation, but the KEV listing remains absent. Exploitation requires user interaction: visiting a specially crafted HTML page and performing the Autofill gesture, which could be delivered via phishing or malicious advertising. Because the weakness involves a free-after-use, the stability and success of an exploit are uncertain, yet the high severity and wide user base warrant immediate attention.