ANGLE, a platform abstraction layer within Chrome, contains an integer overflow flaw (CWE-472, CWE-190) that can be triggered by a crafted HTML page. When a renderer process is already compromised, exploiting this overflow may allow the attacker to escape the browser sandbox and execute arbitrary code on the host system. The vulnerability’s primary consequence is the potential loss of confidentiality, integrity, and availability of the victim’s machine.

All users running Google Chrome versions earlier than 149.0.7827.53 are affected. The flaw resides in the ANGLE component and is present in the stable channel of Chrome prior to that specific revision.

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating that current exploitation data is limited. The CVSS score of 9.6 indicates a Critical severity, emphasizing the importance of addressing this vulnerability promptly. Nevertheless, the attack requires the execution of a crafted HTML page and prior compromise of the renderer process, implying that the threat is primarily relevant to environments where such code could be delivered and the renderer is exposed. The Chromium severity of Medium indicates a notable potential impact. The absence of a publicly known exploit reduces immediate risk, but the potential impact warrants prompt action.