This vulnerability is a use‑after‑free bug in Chrome’s prerendering subsystem that allows a remote attacker to run arbitrary code by loading a specially crafted web page. The flaw arises after a page’s memory is freed but pointers remain, enabling code execution in the context of the victim browser session. It involves a use‑after‑free (CWE‑416) and may also lead to an information leakage (CWE‑825) when uninitialized memory is accessed. Chromium has rated the defect as Critical because successful exploitation bypasses normal privilege boundaries and can affect any user who visits a maliciously constructed site.

Google Chrome browsers with versions prior to 147.0.7727.101 are impacted. The issue applies to all platforms that ship the desktop stable channel of Chrome where prerender is enabled. Users of any devices running assemblies of Chrome that have not applied the 147.0.7727.101 update are vulnerable.

An attacker can exploit this flaw remotely by delivering a crafted HTML page over HTTP or HTTPS, with no additional network access required beyond being able to visit the page. The expected attack vector is web‑based; the browser must process the page to trigger the use‑after‑free. The EPSS score indicates a low exploitation probability (<1%), and the vulnerability has not yet been listed on CISA’s Known Exploited Vulnerabilities catalog. Nevertheless, Chromium labels it Critical, and its CVSS score is 8.8, indicating that exploitation is highly feasible and would grant full code‑execution privileges on the victim machine.