An instance of uninitialized use in the Skia graphics library, present in Google Chrome versions prior to 149.0.7827.53, allows an attacker to read memory that has not been properly initialized. When an attacker hosts a maliciously crafted HTML page, the uninitialized memory can be read and the data can leak to that page, violating the Same‑Origin Policy and exposing confidential information from other origins visited by the user.

The vulnerability affects Google Chrome browsers with versions earlier than 149.0.7827.53 on all supported operating systems. No specific platform restrictions are documented, so any installation running the affected version is at risk.

The CVE is scored with medium severity and is not listed in the CISA KEV catalog. The exploit requires only that the user open a crafted web page in the vulnerable Chrome instance; there is no requirement for elevated privileges or local access. Given the lack of a public exploit and the absence of an EPSS score, the current likelihood of exploitation is moderate but could rise if the vulnerability is publicly disclosed. The primary consequence is the potential leakage of cross‑origin data, compromising confidentiality rather than integrity or availability.