A use‑after‑free flaw exists in the Cast component of Google Chrome prior to version 149.0.7827.115. The flaw can allow a malicious actor who controls traffic on the same local network segment to inject crafted packets that are processed by the casting service, potentially causing the Cast process to use deallocated memory. This can lead to a sandbox escape, elevating privileges within the Chrome sandbox and possibly enabling broader compromise of the host system. The Chromium project has classified this issue as High severity. Based on the description, the vulnerable functionality is tied to local network interaction with Chrome’s Cast feature.

The vulnerability affects all installations of Google Chrome that are running a version earlier than 149.0.7827.115, regardless of the operating system. Users must be aware that any local network device capable of interacting with the Chrome Cast protocol could serve as the attacker. The flaw is specific to the Cast functionality and does not impact other Chrome components.

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the flaw carries a high severity rating and requires a malicious actor to be on the same local network segment delivering specially crafted network traffic to the Cast service. Successful exploitation requires that the victim’s Chrome instance be actively listening for Cast traffic and that the attacker can inject packets before the vulnerable memory is freed. While the technical condition to exploit the use‑after‑free exists, no publicly disclosed exploit code has been reported, but the risk remains significant for environments where local network traffic is not tightly controlled.