An insufficient validation of untrusted input in the Media component of Google Chrome 147.0.7727.55 and earlier allows a remote attacker, whose prior compromise has already taken control of a renderer process, to cause execution of arbitrary code inside the sandboxed renderer. The flaw is a classic input‑validation issue (CWE‑20) that fails to sanitize data coming from untrusted HTML, enabling the attacker to inject malicious payloads. Because the code runs with renderer‑level privileges, it can tamper with browser state, steal information, or pivot to more privileged layers if a sandbox escape is achieved.

Google Chrome desktop installations – Windows, macOS, and Linux – using the stable channel version 147.0.7727.52 or earlier are affected. The advisory lists the vulnerable range up to 147.0.7727.55, which is released as a security update for all three operating systems. Any user who has not yet updated to this version is potentially exposed.

Chromium labels the vulnerability as Medium severity and it is not currently listed in the CISA KEV catalog, indicating no publicly documented widespread exploitation. EPSS data is not available, so the probability of a real‑world attack remains uncertain. However, the circumstances needed for exploitation – an attacker that has first compromised the renderer process and then navigates to a crafted page – represent a realistic attack vector for advanced persistent threats or malware campaigns that target browser weaknesses. The code runs within the sandbox, so the risk of full system compromise depends on a successful sandbox escape; without that, the threat is limited to browser‑level attacks.