A race condition in the WebCodecs component of Google Chrome could allow a remote attacker to read fragments of process memory after a crafted HTML page is loaded. This flaw may expose sensitive information if the memory contains credentials, cryptographic keys, or other confidential data. The weakness corresponds to CWE‑362, which is a modification order or synchronization error. The vulnerability is listed as medium severity, indicating that while likely insufficient alone for full data exfiltration, it can facilitate other attacks or lead to partial information leaks.

Google Chrome browsers running any version prior to 147.0.7727.55 are vulnerable. The issue was identified in the Chrome stable channel and applies to the desktop build of the browser. Users with older releases should upgrade to the patched version.

The exploit requires the attacker to host a malicious web page that the victim visits. The attack can be carried out in a normal browsing session without special permissions. Because the flaw is a synchronization race, injection of crafted script or media data is sufficient. No exploit probability score is published and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively weaponized. Nevertheless, the medium severity and the ability to obtain memory contents warrant prompt remediation. The primary risk is leakage of confidential data from the browser process.