The flaw stems from insufficient validation of untrusted input handled by the GPU component in Google Chrome. When a renderer process is compromised—likely through a preceding vulnerability or social‑engineering attack—an attacker can supply a specially crafted HTML page that causes the GPU code to read beyond its intended bounds, potentially exposing sensitive data from the renderer’s memory. This weakness is a classic input validation flaw, corresponding to CWE‑20, and is also classified as CWE‑1286, and the primary impact is the disclosure of information rather than code execution.

Google Chrome browsers on all platforms remain vulnerable when running versions prior to 149.0.7827.53. The issue is confined to the GPU‑enabled renderer process; any installation that has hardware acceleration enabled is susceptible.

Chromium’s security assessment gives the vulnerability a CVSS score of 6.5, indicating medium severity. The EPSS score is less than 1%, and it is not listed in the CISA KEV catalog. The exploitation path still requires a renderer process to have been compromised first, likely via another flaw or social engineering. After compromise, a malicious HTML payload can trigger the GPU bounds‑check failure and read renderer memory, potentially exposing session tokens or passwords. Although the risk is moderate, the information disclosure can be significant, so timely patching is advised.