A use‑after‑free flaw was discovered in Chrome’s SVG handling stack that allows a remote attacker to execute arbitrary code within a sandboxed environment by loading a specially crafted HTML page. The flaw can be triggered from the network, leading to code execution and potentially credential theft or other malicious actions. The Chromium team rated the vulnerability as High severity, indicating a significant impact on confidentiality, integrity, and availability for affected users.

The vulnerability affects all supported operating systems (Windows, macOS, Linux) running any Chromium‑based browser prior to version 148.0.7778.96. The flaw is present in the Stable channel and is fixed in Chrome 148.0.7778.96 and later releases. Users of older releases, including enterprise deployments, should update as soon as possible.

The CVSS score of 8.8 indicates a high severity vulnerability, consistent with Chromium’s rating. The EPSS score is not available, and the vulnerability has not been listed in CISA’s KEV catalog. The likely attack vector is a remote user visiting a malicious web page that delivers a crafted SVG file. Since the vulnerability is accessed through normal browser functionality, the attacker does not require privileged access or prior compromise. Once exploited, the attacker can execute code confined to Chrome’s sandbox, which still permits privilege escalation within the sandbox environment and possible lateral movement if additional browser features are leveraged.