Use after free in the compositing subsystem of Google Chrome on macOS allows a remote attacker who can supply a crafted HTML page to execute arbitrary code on the user’s machine. The flaw, a classic memory mismanagement error (CWE‑416), can compromise the confidentiality, integrity, and availability of the affected system by running malicious code with the privileges of the Chrome process. Chromium classifies the severity as critical, indicating that exploitation would be highly harmful.

Vulnerabilities exist in Google Chrome for macOS versions prior to 149.0.7827.103. Affected users must update to Chrome 149.0.7827.103 or newer to eliminate the flaw; earlier releases cannot be mitigated through configuration changes alone.

Because the vulnerability can be triggered by rendering an attacker‑crafted webpage, the primary attack vector is remote. The EPSS score of <1% indicates a low but nonzero probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, implying limited publicly known exploitation activity to date. The CVSS score of 7.5 indicates a high level of risk. However, the critical severity assessment by Chromium and the allowance for arbitrary code execution suggest a high potential risk if the flaw is discovered by threat actors.