The vulnerability is a use‑after‑free flaw in the Forms component of Google Chrome that allows a crafted HTML page to trigger execution of arbitrary code within the browser’s sandbox. The flaw stems from improper deallocation of form objects, and an attacker can leverage it by presenting a malicious webpage. The impact is the ability to run code with the privileges of the browser process, potentially leading to privilege escalation or data theft. This weakness is classified as CWE‑416.

Google Chrome versions older than 147.0.7727.101 are affected. Any installation of Chrome that has not applied the 147.0.7727.101 update or later is vulnerable. The issue applies to all platforms where Chrome runs, impacting end‑user machines, corporate desktops, and potentially embedded environments that ship the default Chrome bundle.

The vulnerability has a CVSS score of 8.8, indicating high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, but the lack of a publicly available exploit does not diminish the threat. The attack vector is inferred to be a crafted HTML page that a user needs to view, implying a reliance on user interaction; however, once loaded, the attacker can execute code within the browser’s sandbox. The combination of a high‑severity flaw and the need for user action suggests a moderate to high exploitation likelihood in environments where users regularly visit untrusted sites or download HTML files. The risk escalates if system administrators do not promptly resolve the vulnerability.