An uninitialized use bug in the WebCodecs API of Google Chrome allows a remote attacker to read potentially sensitive data from the browser's process memory when a specially crafted HTML page is loaded. The flaw is triggered when WebCodecs code references memory that has not been properly initialized, leading to leakage of information that might include credentials or other private data. Because this vulnerability is triggered by a web page, it can be exploited by any site that an attacker controls or by executing a malicious script in a victim's browser session.

Google Chrome browsers running versions before 147.0.7727.55 are affected. The safety warning applies to the stable desktop channel used on Windows, macOS, and Linux. Users running older releases or manually installed build versions that have not applied the fix are at risk.

Chromium assigns medium severity to this issue. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, so publicly reported exploit activity is unknown. If an attacker can host a malicious web page, the bug can be triggered remotely without any additional authentication. The overall risk is moderate, driven primarily by the ease of attack via a standard web page and the potential value of the leaked memory contents. Timely patching is advisable to eliminate the exposure.