An integer overflow in the GPU code path of Google Chrome on Android allows a remote attacker who has already compromised the renderer process to perform arbitrary read/write operations through a specially crafted HTML page. This flaw can lead to execution of malicious code, exposure of sensitive data, or further compromise of the device. The vulnerability is classified as CWE‑472 and CWE‑190, highlighting an integer overflow that leads to out‑of‑bounds access. Chromium regards the overall severity as high.

The flaw affects Google Chrome on Android devices running any version prior to 148.0.7778.96. All Android installations of Chrome below the specified version are vulnerable regardless of device manufacturer or Android release.

The CVSS score of 4.2 translates to a medium rating under CVSS v3.1. The EPSS score of < 1 % signals a very low probability of exploitation, and the vulnerability is not yet listed in CISA’s KEV catalog. Based on the description, the most probable attack vector involves a compromised or malicious web page that, after the attacker has already gained renderer process access, delivers a specifically crafted HTML payload to trigger the integer overflow and read or write arbitrary memory. This capability can potentially lead to data theft or further compromise within the renderer’s context, including the possibility of executing malicious code if suitable memory regions are targeted.