This vulnerability is a use‑after‑free flaw in the SurfaceCapture component of Google Chrome on Android. When a renderer process is compromised, an attacker can craft a malicious HTML page that triggers the freed memory usage, causing a sandbox escape and potentially executing arbitrary code on the device. The weakness is classified as CWE‑416, indicating a use‑after‑free issue that can lead to code execution. The primary impact is the loss of isolation between the renderer process and the rest of the system, elevating a single compromised web page to a full system compromise if the attacker can exploit the flaw.

Versions of Google Chrome for Android released before 149.0.7827.53 are affected. Any device running these builds that allows loading untrusted HTML content is subject to the risk. The problem is not limited to specific device models; it applies to all Chrome Android installations containing the vulnerable SurfaceCapture implementation.

The CVSS score of 8.3 is High, indicating a severe risk. The EPSS score is not available, so we cannot quantify the current exploitation likelihood, but the absence of a KEV listing indicates no widespread exploitation has been reported to date. The vulnerability requires the attacker to already compromise the renderer process, typically through a malicious website or content injection. If that condition is met, the crafted HTML page can trigger the use‑after‑free and bypass the renderer sandbox, leading to arbitrary code execution. Given the severity rating and the nature of the flaw, systems should treat this as a high‑risk condition until a patch is applied.