The flaw is a type‑confusion vulnerability in ANGLE that allows a crafted HTML page to access memory beyond an intended boundary. This can corrupt data structures on the stack or heap, and if an attacker can influence the corrupted data, the impact could extend to executing arbitrary code or causing a denial‑of‑service. The weakness is classified as CWE‑843, which specifically describes type confusion problems where differing data types are incorrectly interpreted as the same type.

Google Chrome on Windows users running any version prior to 149.0.7827.53 are affected. Versions of the browser that incorporate ANGLE under the Chromium engine before the mentioned patch are vulnerable. Later stable releases (149.0.7827.53 and newer) contain the fix.

The CVE is marked as high severity by Chromium’s internal scoring, but no public EPSS data is available. The vulnerability is not listed in CISA’s KEV catalog, suggesting it is not a known exploited vulnerability in the wild. Attackers would need to trick a user into opening a maliciously crafted web page while Chrome is running on Windows; the conditions for successful exploitation include a user or process that renders the page in a context where ANGLE is used. Given its nature as an out‑of‑bounds memory access, the risk is significant should an exploit be developed, but the current lack of evidence of active exploitation lowers the confidence in an immediate real‑world threat.