A type confusion vulnerability exists in the Turbofan engine of Google Chrome. This flaw allows a remote attacker to craft a malicious HTML page that, when rendered, results in the execution of arbitrary code inside the browser’s sandbox. The vulnerability is specifically tied to CWE‑843, which denotes type confusion flaws that can lead to unintended data interpretation and execution pathways. The impact is direct code execution within the sandbox, potentially compromising the confidentiality, integrity, and availability of the user’s system if the attacker can escape the sandbox boundary. The effect is essentially the same as if the attacker could run code with the privileges of the browsing context or, under certain conditions, elevate outside the sandbox.

The affected product is Google Chrome, specifically all versions prior to build 147.0.7727.101. Users running earlier releases on any supported operating system (Windows, macOS, Linux) are exposed. The fix is included in the stable channel update released on April 15, 2026, which advances the browser to version 147.0.7727.101 and later.

The CVSS score is 8.8, indicating high severity per standard scoring. Although the EPSS score is not publicly available, the lack of a listed presence in the CISA KEV catalog does not reduce the technical risk; the flaw remains highly exploitable if a threat actor supplies a crafted HTML page. The attack vector is remote: a user visiting a malicious web page can trigger the code execution without additional interaction. Given the CVSS score of 8.8 and the craft required only to create an HTML file, the risk level remains significant for all users on affected versions.