This vulnerability is a use‑after‑free flaw in Google Chrome’s WebCodecs component that lets a remote attacker run arbitrary code within the browser’s sandbox via a specially crafted HTML page. The flaw occurs when a freed memory region is dereferenced after its owning object has been released, allowing execution of arbitrary code inside the confined Chrome process. This weakness corresponds to CWE‑416 and also aligns with CWE‑825, indicating inconsistently managed permissions or privilege context during the WebCodecs operation.

Google Chrome versions prior to 149.0.7827.103 on desktop platforms that expose the WebCodecs API are vulnerable. The security update released in the 2026‑06 stable channel, noting a high severity, addresses the issue by patching the WebCodecs implementation.

While the EPSS score is very low (<1%) and the vulnerability is not listed in KEV, the high severity label and a CVSS score of 8.8 indicate a serious risk. The attack vector is inferred to be a malicious webpage that a user must open; once the use‑after‑free is triggered, code runs with the sandboxed browser’s privileges, potentially leaking credentials or enabling further exploitation. The exploitation further exploits improper permission handling (CWE‑825), which could allow the attacker to perform actions beyond the intended sandbox boundaries. The exploitation requires no local access and can be achieved by indirect payload delivery.