A heap buffer overflow in the WebML component of Google Chrome allows a remote attacker to trigger arbitrary code execution by loading a specially crafted HTML page. The flaw affects the memory safety of the browser, enabling an attacker to overwrite critical data structures (CWE‑122, CWE‑131). This compromise grants the attacker the ability to run arbitrary instructions with the privileges of the Chrome process, potentially leading to full system compromise if the user’s context allows the browser to access critical resources. The vulnerability is classified as critical by Chromium’s security team.

The vulnerability exists in all versions of Google Chrome earlier than 147.0.7727.55 across supported operating systems, including Windows, macOS, and Linux. All users running these affected releases should consider themselves at risk, as the flaw can be triggered from any website that an attacker controls or can inject a malicious page into. The listed CPEs confirm that the issue spans desktop implementations for Microsoft Windows, Apple macOS, and Linux kernels.

The CVSS score of 8.8 reflects a high severity, while the EPSS score of less than 1% indicates that public exploitation is unlikely at present. The vulnerability is not yet listed in CISA’s KEV catalog. Attackers would need to supply a malicious HTML page to the target browser; no local privilege escalation is required. Once the page is loaded, the buffer overflow can be triggered, leading to remote code execution without additional user interaction beyond opening the page. Because the attack vector is remote over the web, it can potentially affect any user who visits or loads the crafted content.