A use‑after‑free vulnerability in the WebRTC component of Google Chrome, identified as a CWE‑416 flaw, allows a remote attacker to execute arbitrary code within the browser’s sandbox by serving a specially crafted HTML page. The flaw also exhibits characteristics of a memory misuse defect (CWE‑825) where a freed object is accessed again, enabling the attacker to control execution flow inside the protected sandbox, thus potentially compromising confidentiality, integrity, and availability of the user’s system. The described problem carries a Chromium security severity of High.

Google Chrome is affected in all releases prior to 149.0.7827.53. Users running version 149.0.7827.52 or earlier should be aware that any WebRTC traffic generated by a malicious web page could trigger the use‑after‑free exploit. The risk is confined to browsers that process the vulnerable WebRTC sandbox code.

The EPSS score is 0.00071, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, but the nature of the flaw – remote code execution through a crafted HTML page – makes it attractive to attackers. If a user opens a malicious page that triggers the exploit, an attacker can take control of the browser process. Updating to a fixed release stops the vulnerability, while an attacker would need to exploit the older code path to succeed.