Google Chrome versions prior to 145.0.7632.159 lack sufficient data validation in the navigation mechanism, enabling a remote attacker to craft an HTML page that may break the browser sandbox. The flaw is an instance of improper input validation (CWE‑20) and has a CVSS score of 9.6, indicating a high‑severity vulnerability. If exploited, the attacker could escape the browser sandbox and execute arbitrary code with the privileges of the user’s account, compromising confidentiality, integrity, and availability of the system.

All operating systems that run Google Chrome, including Windows, macOS, Linux, and any other platforms supported by Chrome, are affected when using versions older than 145.0.7632.159. The issue applies to the stable channel update referenced in the advisory and all earlier releases of that channel.

The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote, requiring delivery of a crafted HTML page to the user, commonly via phishing, malicious advertising, or compromised legitimate sites. Once the user navigates to the page, the browser executes the navigation code with insufficient validation, potentially leading to sandbox escape and code execution. The overall risk is high due to the severity score, but the low exploitation probability and absence from KEV mitigate immediate threat.