A use‑after‑free flaw in the Chrome browser’s user interface allows a remote attacker to exploit a crafted HTML page and potentially escape the renderer sandbox, giving the attacker the ability to run code with the privileges of the browser process. The vulnerability is categorized as CWE‑416 and CWE‑825, indicating classic use‑after‑free and memory corruption weaknesses that can lead to arbitrary code execution. The impact is therefore high, as successful exploitation could compromise system integrity, confidentiality, and availability by allowing the attacker to execute arbitrary code.

Google Chrome versions prior to 148.0.7778.168 on all supported operating systems are affected. The fix is distributed in the Chrome release that starts with the version number 148.0.7778.168. Users of earlier builds should plan to upgrade to this version or later.

The flaw has a CVSS score of 9.6, indicating a Critical severity, suggesting that the vulnerability is significant. No EPSS score is currently available, so the exact likelihood of exploitation in the wild is unknown, but because the attack vector is remote and the payload can be driven through a crafted HTML page, the risk is non‑trivial for any user that accepts potentially malicious web content. The vulnerability is not yet listed in CISA’s KEV catalog, indicating that no confirmed public exploits have been reported at the time of this analysis. Users should assume that a remote attacker could trigger the use‑after‑free if they can deliver malicious HTML to the browser, and therefore consider the risk substantial.