Google Chrome prior to 148.0.7778.96 contains a flaw where the DataTransfer API does not fully validate transferred data. A remote attacker who has compromised the renderer process can craft an HTML page that triggers the flaw, allowing them to read and write arbitrary memory within the renderer’s address space. This capability could be leveraged to elevate privileges or execute arbitrary code, and is rooted in an input validation weakness described by CWE‑20.

All installations of Google Chrome using a version older than 148.0.7778.96 are affected, regardless of operating system. The issue is confined to the renderer process of the browser, which runs on Windows, macOS, Linux, and other supported platforms.

The CVSS score of 4.2 classifies the vulnerability as medium severity. EPSS is not available, indicating that a public exploitation probability estimate has not been published. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed large‑scale exploit campaigns. Exploitation requires the attacker to first compromise the renderer process—often through cross‑site scripting or other local execution vectors—before the arbitrary memory read/write can be exercised. Given these constraints, the risk is limited to scenarios where renderer access is already achieved, but the impact within that process remains serious.