Impact
The vulnerability is a use‑after‑free in the GPU component of Google Chrome for Android, which allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox via a crafted HTML page. This flaw is classified as CWE‑416 and CWE‑825, a classic use‑after‑free and related memory‑management error. If successful, the attacker could execute arbitrary code with higher privileges than the browser, resulting in remote code execution that could compromise the device.
Affected Systems
Google Chrome for Android, versions prior to 149.0.7827.115, are affected. All Android users running these vulnerable releases are at risk until they upgrade to a patched version.
Risk and Exploitability
Chromium rates the severity as high with a CVSS score of 8.3. The EPSS score of 0.00206 indicates a very low but nonzero exploitation probability, and the vulnerability is not listed in CISA's KEV catalog, suggesting no known public exploitation at this time. The flaw requires a remote attacker to deliver a crafted HTML page while having control over the renderer process, which could be achieved through an already compromised site or via drive‑by download. If exploited, the attacker could escape the renderer sandbox and compromise the host. Given the high severity and lack of public exploitation evidence, administrators should treat this as a high‑risk vulnerability pending patch.
OpenCVE Enrichment
Debian DSA