A use‑after‑free flaw in the WebML component of Google Chrome on Windows allows a remote attacker to execute arbitrary code within the browser sandbox by delivering a specially crafted HTML page. The vulnerability, identified as CWE‑416 and CWE‑825, enables execution of untrusted code, potentially compromising the confidentiality and integrity of the system while still confined to the sandbox environment.

The flaw affects Google Chrome browsers running on Windows operating systems, specifically versions earlier than 149.0.7827.53. Users who have not updated Chrome to this or later releases remain vulnerable.

The CVE carries a high severity rating, with a CVSS score of 8.8, indicating significant potential damage if exploited. Exploitability depends on the attacker’s ability to serve or embed malicious HTML content to trigger the flaw. The EPSS score of < 1% suggests that active exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly reported active exploitation. The likely attack vector is inferred to be remote delivery of the crafted page, which could be achieved via compromised websites or phishing emails. Given the high severity but low exploitation probability, the overall risk is substantial yet presently moderate, warranting prompt remediation.