The vulnerability arises from insufficient validation of untrusted input in the WebML component of Google Chrome. A crafted HTML page can cause the browser to read data from its own process memory, allowing a remote attacker to retrieve potentially sensitive information. This does not result in code execution or a denial of service; the primary impact is the exposure of internal data that could be used for further attacks. The weakness is identified as improper input validation and unsafe memory handling, matching CWE‑20 and CWE‑1286.

Google Chrome on Windows machines running any version prior to 147.0.7727.55 is affected. The issue was discovered in the Chrome binary that ships with Windows builds; no other operating systems or Chrome releases are reported to be impacted.

The CVSS score of 6.5 classifies the bug as Medium severity, and the EPSS score of less than 1 % indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation activity. Attackers would need to deliver a malicious HTML page to a user browsing in Chrome, typically through phishing or local files, to trigger the memory disclosure. Once triggered, the attacker can read the leaking data but cannot gain full control of the system. The overall risk to organizations is moderate, largely governed by how widely the specific vulnerable Chrome version is deployed and how often users access untrusted or user‑generated content.