The vulnerability is an out‑of‑bounds read in Skia’s rendering engine that occurs in Chrome versions prior to 149.0.7827.103. When a remote attacker has already compromised the renderer process, a specially crafted HTML page can cause the renderer to read memory beyond its boundaries, exposing cross‑origin data. The flaw is an instance of improper input validation (CWE‑20) and can lead to confidentiality breaches by leaking information that should remain private to another origin.

All installations of Google Chrome built on the stable channel whose version is older than 149.0.7827.103 are affected. This includes desktop operating systems that run Chrome on launch, as noted in the June 2026 stable channel release notes. No specific sub‑versions are listed beyond the upper bound.

Chromium classifies the severity as high, and no EPSS score is currently available. The CVSS score of 3.1 indicates a moderate severity. The issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to first gain control over a renderer process, which is generally achieved via a separate vulnerability or social‑engineering technique. Once inside the renderer, the attacker can read memory and exfiltrate data from other origins. Because the flaw is limited to memory within the renderer, it does not allow arbitrary code execution but provides a clear path to data exfiltration.