A flaw in Google Chrome’s media handling fails to properly validate untrusted input, allowing a malicious HTML page to cause the renderer process to execute arbitrary code within its sandbox. The vulnerability enables an attacker to run unintended code, posing a risk of unauthorized access to user data, configuration, or system resources depending on the sandbox permissions and any privilege escalation that may follow. The identified weaknesses correspond to CWE‑20 (Improper Input Validation) and CWE‑79 (Improper Neutralization of Input), confirming that the issue arises from insufficient sanitization of external content.

Google Chrome users, specifically versions older than 147.0.7727.55, across all supported platforms—Windows, macOS, Linux and other operating systems where Chrome is installed. The affected software is the Chromium‑based browser component, with no other vendor products listed.

The CVSS score of 8.8 reflects high severity and the low EPSS probability (<1%) indicates limited exploitation patterns reported so far. The vulnerability is not yet catalogued in the CISA KEV list, suggesting no confirmed widespread attacks. Exploitation requires an attacker who can deliver a crafted HTML page to a user and first compromise the renderer process; once achieved, arbitrary code can be run inside the sandbox, potentially paving the way for further compromise if sandbox escape mechanisms succeed.