Google Chrome contains a use‑after‑free vulnerability in its password handling component (CWE‑416) coupled with improper reference handling (CWE‑825) that allows a remote attacker to execute arbitrary code by delivering a crafted HTML page to a user. The flaw exists in all Chrome releases prior to 148.0.7778.96 and can be triggered when the page is rendered in the browser, enabling the attacker to run code with the same privileges as the browser process, potentially compromising confidentiality, integrity, and availability of the victim system.

The vulnerability affects Google Chrome versions released before 148.0.7778.96 on all supported platforms, including Windows, macOS, and various Linux distributions. Users who have not upgraded to the patched release remain exposed regardless of operating system.

The CVSS score of 8.8 classifies the flaw as high risk. Attackers can exploit the vulnerability by publishing a malicious web page that the victim opens, leading to arbitrary code execution with the privileges of the browser process. The EPSS score of < 1% indicates a low likelihood that it will be widely exploited, but this does not diminish the severity of the flaw. The vulnerability is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been documented to date.