The vulnerability is an out‑of‑bounds read in Skia, located in the rendering engine of Google Chrome. The bug, classified as CWE‑125, allows a remote attacker who has compromised the renderer process to read memory beyond buffer limits. In the context of Chrome, a malicious renderer process that has already been compromised can construct a crafted Chrome Extension to trigger the fault and read data that belongs to a different origin, effectively leaking cross‑origin content. The effect is an information‑disclosure breach that can expose secrets, cookies, or API data residing in memory, although it does not grant code execution.

Google Chrome versions earlier than 148.0.7778.96 are affected. The issue is confined to the desktop stable channel. No other products or operating systems are noted as impacted in the advisory.

The CVSS score for this vulnerability is 3.1, which indicates a low to medium severity. The vulnerability does not have a publicly available EPSS score and is not listed in the CISA KEV catalog, indicating limited evidence of exploitation in the wild. However, the required conditions – a compromised renderer process and a specially crafted extension – suggest that a threat actor with sufficient access can exploit the flaw. The risk is medium as stated by Chromium, driven by the ability to read cross‑origin data but lacking any direct privilege escalation or remote code execution capability.