A use‑after‑free flaw in the V8 JavaScript engine allows a remote attacker who convinces a user to perform specific UI gestures to execute arbitrary code inside the sandbox. The weakness is a classic memory safety error (CWE‑416) that gives the attacker execution control after a freed object is reused. The impact is confined to the browser's sandbox but still permits attacker‑selected code execution, bypassing many of the browser’s security protections. This defect also relates to CWE‑825, which concerns misuse of underlying system resources.

The vulnerability affects Google Chrome browsers running any version prior to 149.0.7827.53. Users of earlier stable channel builds are exposed; newer releases have the fix applied.

The exploit requires social engineering or a malicious web page to prompt the user into the triggering gestures. The EPSS score of 0.0008 (<1%) indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.8 classifies the flaw as high severity, meaning that once triggered it allows an attacker to execute arbitrary code inside the browser sandbox. Although the attack surface is confined to the sandbox, the potential for privilege escalation or persistent compromise remains significant if the sandbox is successfully breached. No evidence of active exploitation has been reported, but the high CVSS score warrants timely patching.