A heap buffer overflow in the WebCodecs component of Google Chrome allows an attacker who can serve a crafted HTML page to write outside the bounds of allocated memory. The flaw is rooted in the improper handling of buffer sizes (CWE-122 and CWE-787) and can lead to arbitrary code execution, denial of service, or other memory corruption. The vulnerability is classified as high severity by Chromium security. The impact, if successfully exploited, could compromise the confidentiality, integrity, and availability of the affected system. The attacker would gain control over the memory used by Chrome, potentially allowing execution of arbitrary code with the privileges of the browser process.

Affected systems are installations of Google Chrome running any operating system before version 145.0.7632.159. This includes Windows, macOS, and Linux distributions that use the official Chrome binary. Users who continue to use older Chrome releases are exposed to the risk until they upgrade to a patched version.

The CVSS base score of 8.8 indicates high severity. However, the EPSS score is less than 1 %, suggesting that, at present, the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, further indicating that a known exploit has not been observed in the wild. The likely attack vector is a remote attacker delivering a malicious web page to a user who opens the page in a vulnerable Chrome browser. Successful exploitation requires the user to visit the malicious page and for the browser to process it, exploiting the WebCodecs component’s memory management flaw.