The flaw is a type confusion bug in the V8 JavaScript engine that allows a remote attacker to run arbitrary code inside the Chrome sandbox through a crafted HTML page. The vulnerability is classified as CWE‑843, indicating improper type handling that leads to unintended type conversion. The potential impact is the execution of code confined to the sandboxed environment of the browser, which can be a foothold for further attacks but does not directly grant native privileges.

All Google Chrome desktop builds—Windows, macOS, and Linux—prior to version 147.0.7727.138 are affected. The issue does not reference mobile, server‑side, or enterprise editions, so the focus is on standard desktop installations.

The attack vector is remote and only requires the victim to load a malicious HTML page, making it easily reachable from any network. The EPSS score of 0.011% indicates a very low, but non‑zero, probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no current widespread exploitation. The flaw bypasses the sandbox to execute code inside the browser process; while it does not explicitly claim elevation to native privileges, the ability to run arbitrary code within the sandbox can facilitate privilege escalation within the browser or enable lateral movement to other processes. The CVSS score of 8.8 denotes high severity.