The vulnerability is a use‑after‑free bug in the Digital Credentials component of Google Chrome. When a specially crafted HTML page is rendered, the browser can corrupt heap memory, potentially allowing a remote attacker to execute arbitrary code. The flaw is classified as a memory corruption weakness (CWE‑416) and is marked as Critical by Chromium security. The impact is a loss of integrity and confidentiality for the user session, and could lead to full system compromise if exploited successfully.

All Chrome installations running a version prior to 149.0.7827.155 are affected. The vulnerability applies to desktop operating systems where the Digital Credentials feature is enabled. Users on older releases or using earlier versions of Chrome should verify the installed version and consider upgrading if they have not done so already.

The EPSS score of less than 1% indicates that the probability of exploitation in the wild is low, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, the flaw is of high severity; if an attacker can serve the crafted page to a victim, the memory corruption could be leveraged to run code with the privileges of the Chrome process. The likely attack vector involves an HTTP(S) page containing the malicious content, making it a remote attack that requires the victim to load the page. While the current exploitation probability is low, mitigators should not rely on this – it remains a potentially critical vector that must be patched.