An integer overflow in the GPU code path of Google Chrome on Android allows a remote attacker who has already compromised the renderer process to perform arbitrary read/write operations through a specially crafted HTML page. This flaw can lead to execution of malicious code, exposure of sensitive data, or further compromise of the device. The vulnerability is classified as CWE-472, highlighting an integer overflow that leads to out‑of‑bounds access. Chromium regards the overall severity as high.

The flaw affects Google Chrome on Android devices running any version prior to 148.0.7778.96. All Android installations of Chrome below the specified version are vulnerable regardless of device manufacturer or Android release.

The CVSS score of 4.2 indicates a medium severity level for this integer overflow flaw. The EPSS score is currently not available, so the probability of exploitation remains uncertain. The flaw is not listed in the CISA KEV catalog at this time. Based on the description, the likely attack vector is a malicious or compromised web page that can exploit the renderer after the attacker has already gained process‑level access. An attacker would need to supply a crafted HTML page that triggers the integer overflow, enabling them to read or write arbitrary memory within the renderer process. The potential impact extends to arbitrary code execution and data theft within the renderer’s context.