An object lifecycle flaw in Chromium’s V8 JavaScript engine permits a remote attacker to perform an out-of-bounds memory read when a crafted HTML page is rendered. This vulnerability is classified as CWE-125 and CWE-825, indicating that the attacker can read arbitrary memory locations and exploit improper handling of privileged data, potentially exposing sensitive data such as secrets or user information. The internal Chromium severity rating for this issue is Medium, and the CVSS score of 4.3 reflects a moderate impact if successfully exploited.

All installations of Google Chrome prior to version 148.0.7778.96 are affected, regardless of operating system – including Windows, macOS, and Linux. Any device running a vulnerable browser variant is at risk when visiting a malicious web page that contains the exploit construct.

The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation as of the latest data. The CVSS score of 4.3 suggests that, while the impact is limited to data disclosure, the attack can be carried out with only a malicious page served to a user; additional user interaction is not required. Based on the description, it is inferred that the attack vector is a crafted HTML page delivered via the web, which when rendered triggers the out-of-bounds read.