The vulnerability is a use‑after‑free flaw (CWE‑416) in Chrome’s Media component that permits a maliciously crafted HTML page to execute arbitrary code within the browser’s sandbox. In addition to the memory‑reuse issue, the associated weakness (CWE‑825) indicates that the flaw may also lead to undefined behavior or data corruption when the freed memory is accessed. An attacker could supply a specially constructed page that triggers the incorrect release and reuse of a memory region, allowing the execution of code supplied by the attacker. The result is remote code execution on the client machine, violating confidentiality, integrity, and availability of the user session, and providing an attacker with the ability to run arbitrary code without sandbox escape prerequisites.

Google Chrome versions prior to 149.0.7827.53 are affected. The flaw is present in the stable channel and can be triggered by loading a malicious HTML page on any machine running an unpatched instance of Chrome.

The CVSS score of 8.8 indicates high severity. The EPSS score of < 1% shows a very low probability that this vulnerability will be actively exploited in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a malicious webpage sent to the user; the attacker does not need prior access or credentials. The exploit requires the victim to visit a crafted page, after which arbitrary code can run with the privileges of the browser process, granting local compromise.