A use‑after‑free flaw exists in Google Chrome’s CSS engine. When the browser parses a specially crafted HTML page, it can corrupt data residing in heap memory. The CVE description states that this corruption could potentially be exploited for malicious purposes. Based on the description, it is inferred that the corruption might provide a vector for arbitrary code execution, though the vendor does not explicitly confirm the full extent of the impact. This weakness is classified as CWE‑416, a deallocated memory access flaw.

Google Chrome versions prior to 145.0.7632.45 on all supported operating systems (Windows, macOS, Linux) are affected, because the vulnerable CSS engine is shared across platforms. No other vendors or products are reported to be impacted.

The flaw carries a CVSS score of 8.8, placing it in the high‑severity range, yet the EPSS score is reported as less than one percent, indicating that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented public exploitation. A remote attacker would need to entice a user to load a malicious HTML page, which could be accomplished via a compromised or malicious website, social‑engineering, or a phishing link. Once the page is rendered, the use‑after‑free can trigger heap corruption and potentially lead to the inferred execution of malicious code.