The flaw involves an inappropriate access to process memory within Chrome extensions, allowing a remote attacker—who has already compromised the renderer process—to read potentially sensitive data from the victim’s memory by loading a specially crafted HTML page. This results in information disclosure and is classified as a medium‑severity vulnerability (CWE‑200). The flaw also falls under CWE‑497, implying potential improper data handling or modification by the affected extension.

All users running Google Chrome versions earlier than 149.0.7827.53 are affected. The vulnerability impacts every standard desktop build of Chrome in the stable channel across all operating systems that use the default renderer architecture. The flaw is limited to the extension component and does not affect native Chrome binaries directly.

The EPSS score is <1%, indicating a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must first compromise the renderer process, which may require exploitation of another flaw or user interaction. Once that condition is met, a specially crafted HTML page can trigger the memory leak, allowing the attacker to read potentially sensitive data from the victim’s session memory. The risk is moderate to high if a renderer compromise is feasible; the CVSS score of 6.5 reflects medium severity, but the potential confidentiality impact justifies prompt remediation. The vulnerability also involves CWE‑497, indicating potential for improper data modification.