A defect in the V8 JavaScript engine of Google Chrome caused object corruption that lets an attacker run arbitrary code inside the browser process sandbox. The bug is categorized under memory corruption and type confusion weaknesses, which can lead to code execution on the client machine. Although the attacker gains code execution only within the sandboxed environment, any successful exploit could provide a foothold that may be leveraged for further attacks if the sandbox is subsequently broken or used to execute additional malicious payloads. This bifurcation of memory safety violations is most consistent with the listed weaknesses of CWE‑120 and CWE‑843.

The vulnerability affects all desktop editions of Google Chrome released before version 146.0.7680.178 on every major operating system, including macOS, Linux, and Windows, as indicated by the referenced Common Platform Enumeration strings. Users whose browsers remain on these legacy versions are at risk regardless of platform.

The flaw carries an overall CVSS score of 8.8, classifying it as high severity, yet its EPSS score is below 1 %, indicating a very low probability of being actively exploited in the wild at present. It is not listed in the CISA KEV catalog. The exploitation path requires a remote attacker to serve a crafted HTML page that a victim’s Chrome will render, which is a straightforward attack vector for malicious sites or phishing campaigns. No additional discovery or privileged access is needed once the user opens the page, making the vulnerability readily exploitable in typical web browsing scenarios.