A use-after-free vulnerability (CWE-416) in Google Chrome’s Guest View allows a remote attacker to execute arbitrary code within the browser’s sandbox by serving a carefully crafted HTML page. Based on the description, it is inferred that the attacker must deliver a malicious HTML page while the user is in Guest View. This flaw enables bypassing the sandbox’s security boundaries, potentially compromising confidentiality, integrity, and availability if the user visits the malicious page. Chromium grading labels the severity as High.

Google Chrome versions prior to 149.0.7827.103 are affected. Only the stable channel releases before this version are susceptible; versions 149.0.7827.103 and newer include the fix.

The CVSS score of 8.8 indicates high risk. EPSS data is currently unavailable, and the issue is not listed in the CISA KEV catalog, suggesting no known active exploitation. Based on the description, it is inferred that the likely attack vector requires a malicious webpage to be loaded while the target is using Guest View, implying that the attacker must either deceive the user into visiting the page or harvest an existing Guest View session. The presence of the use-after-free bug means that exploitation is possible without additional privileges, and the sandbox escape grants full code execution within the browser context. Given the lack of publicly available exploits, the likelihood of immediate attack remains moderate but at the same time the potential impact is severe.