Google Chrome on Windows has a flaw in ChromeDriver where untrusted input from a crafted HTML page is not properly validated, allowing an attacker to run arbitrary code. The weakness is classified as CWE-20 (Improper Input Validation). Because the code runs within the Chrome process, a successful exploitation would compromise the machine that hosts the vulnerable Chrome installation, granting the attacker full control. Chromium flags the issue as low severity, but the nature of the vulnerability raises the risk of remote exploitation.

The flaw affects ChromeDriver components in Google Chrome for Windows editions that are scheduled prior to version 148.0.7778.96. Users who have not yet updated beyond this version are at risk; all other recent Chrome releases after this update are considered secure.

The CVSS score is 8.8, and the EPSS score is < 1%, indicating a very low but nonzero exploitation probability. Since the flaw allows RCE from a crafted HTML page, the attack vector is inferred to be remote via a browser or ChromeDriver session, and exploitation would require the attacker to host a malicious page or otherwise get ChromeDriver to load it. The standalone solution is to update Chrome to a patched build, after which no known exploitation vectors remain. This vulnerability is not listed in the CISA KEV catalog.