This vulnerability is a use‑after‑free flaw in the SurfaceCapture component of Google Chrome on Android. When a renderer process is compromised, an attacker can craft a malicious HTML page that triggers the freed memory usage, causing a sandbox escape and potentially executing arbitrary code on the device. The weakness is classified as CWE‑416 and CWE‑825. The primary impact is the loss of isolation between the renderer process and the rest of the system, elevating a single compromised web page to a full system compromise if the attacker can exploit the flaw.

Versions of Google Chrome for Android released before 149.0.7827.53 are affected. Any device running these builds that allows loading untrusted HTML content is subject to the risk. The problem is not limited to specific device models; it applies to all Chrome Android installations containing the vulnerable SurfaceCapture implementation.

The CVSS score of 8.3 indicates a high severity. The EPSS score is < 1%, so the exploitation likelihood is very low but non‑zero, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to first compromise the renderer process, typically through a malicious website or injected content. Once that condition is met, a crafted HTML page can trigger the use‑after‑free, bypassing the renderer sandbox and allowing arbitrary code execution. The presence of both CWE‑416 and CWE‑825 identified weaknesses underlines the seriousness of the flaw, and operators should treat it as a high‑risk condition until a patch is applied.