An insufficient validation of untrusted input in Chromium's ANGLE component allows a sandbox escape in Chrome versions older than 149.0.7827.53. The flaw requires an attacker to have already gained a foothold in the renderer process, after which the validation failure can be triggered via a specially crafted HTML file. If the escape succeeds, the renderer can break out of its sandbox and execute code with elevated privileges, potentially compromising the entire system. This represents a high‑impact threat to confidentiality, integrity, and availability.

Google Chrome desktop versions prior to 149.0.7827.53 are affected. The vulnerability resides in the ANGLE component and impacts any desktop deployment of Chrome, regardless of operating system, but the CVE data does not specify an OS limitation.

Chromium labels the issue as medium severity; the CVSS score is 9.6, indicating critical risk, and the EPSS score is < 1%, indicating a low probability of exploitation. The flaw needs a prior compromise of the renderer process, which typically arises from a drive‑by load or cross‑site scripting attack. No public exploit is listed in the CISA KEV catalog. While the probability of exploitation is uncertain, an attacker who succeeds could escape the sandbox and gain system‑level privileges, so the potential impact is very high. The likely attack path involves delivering a crafted HTML page to a renderer that has already been compromised.