Google Chrome contained a flaw in its media handling code where insufficient input validation allowed an attacker to craft a malicious video file that triggers an out‑of‑bounds memory read. The read occurs while processing the video, potentially exposing arbitrary data residing in Chrome’s process memory. The defect is characterized as a low‑severity vulnerability, implying that exploitation is not straightforward but still may reveal sensitive information to the attacker.

Versions of Google Chrome earlier than 147.0.7727.55 on any supported platform are affected. The vulnerability is present in the Chrome browser’s media component that decodes video files. The flaw applies to the stable channel until the referenced update is installed.

The CVSS severity is low and the exploitation probability is unknown due to the lack of EPSS data. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. A likely attack path involves a remote attacker delivering a crafted video file to a user’s browser, either via a malicious website or a tricked download. The read can be performed without additional privileges, providing potential for information disclosure. Given the limited impact level and no public exploit, the threat is moderate but should still be remediated promptly.