The vulnerability manifests as a heap buffer overflow in the Skia graphics library of Google Chrome, permitting a remote attacker to supply a specially crafted HTML page that triggers an out‑of‑bounds write and corrupts memory. According to the official CWE IDs, the flaw is a classic heap overflow (CWE‑122) combined with an out‑of‑bounds write (CWE‑787). The result is arbitrary memory corruption that may lead to remote code execution on the victim’s machine.

The flaw affects Google Chrome version 146.0.7680.70 and older across all desktop operating systems supported by Chrome, including Windows, macOS, and Linux. The vulnerability is tied to the Skia graphics subsystem, which is common to all Chrome releases prior to 146.0.7680.71.

The CVSS score of 8.8 classifies this vulnerability as high severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at the moment, although the flaw has not been reported in the CISA Known Exploited Vulnerabilities catalog. The attack vector is remote, relying on a crafted HTML page delivered over the network to a victim’s browser. Because the bug resides in a heap buffer, an attacker could potentially overwrite arbitrary data, elevate privileges within the browser process, or execute injected code, assuming the user allows HTML content from untrusted sources. While there are no publicly disclosed exploits as of this analysis, the high CVSS and potential for remote code execution warrant immediate patching.