The flaw is an uninitialized variable in ANGLE, the graphics acceleration component of Chrome for Windows. A malformed HTML page can trigger the bug, causing the browser to expose data that belong to a different origin. This vulnerability maps to CWE‑457 and CWE‑824, representing uninitialized variable use and improper loop‑count checks respectively, and allows a remote attacker to retrieve cross‑origin information, potentially compromising confidentiality but not executing code or altering system state.

Google Chrome users running the Windows stable release before 149.0.7827.53 are affected. The issue is confined to the ANGLE rendering engine that powers GPU‑accelerated rendering in Chrome on Windows. All desktop installations of those versions must be considered at risk.

An attacker would need to supply a crafted web page to a victim's browser; no additional privileges or local access are required. The CVSS score of 6.5 indicates moderate severity, and the EPSS score of <1% shows a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Because the symptom is data leakage rather than code execution, the overall risk level for typical users is moderate, but systems that handle highly sensitive cross‑origin data should still treat the issue with urgency.