This vulnerability arises from insufficient validation of untrusted input during navigation within Google Chrome. The flaw allows an attacker who has already compromised the renderer process to craft a malicious HTML page that can potentially escape the renderer sandbox. The lack of proper input validation (CWE‑20) can lead to the execution of code outside the sandbox, thereby elevating the attacker’s privileges within the system. The impact is limited to scenarios where the renderer has already been compromised; the vulnerability does not provide a complete remote code execution path on its own.

Google Chrome versions before 148.0.7778.96 on desktop environments are impacted. The issue affects all users running the stable channel of Chrome that has not yet applied the fix by the referenced update. The severity is classified as medium by Chromium.

The CVSS score is 8.3, indicating high severity. EPSS data is unavailable, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector requires that an attacker already has compromised the renderer process, which might be achieved through prior exploitation or malware; based on the description it is inferred that the attacker would need to deliver crafted HTML to trigger the flaw. Once this condition is satisfied, the attacker can escape the sandbox and potentially gain broader system access. The overall risk is moderate, given the need for prior renderer compromise and the absence of widespread exploitation data.