An uninitialized use fault in the GPU components of Google Chrome on Android allows a malicious renderer process to read memory that should have been sanitized, enabling leakage of cross‑origin data from other origins. The flaw, classified as CWE‑457 "Uninitialized Variable" and CWE‑824 "Partial Buffer Overwrite", is associated with a low CVSS score of 3.1 but is labeled as high severity by Chromium. Based on the description, it is inferred that the attacker must first compromise the renderer process, which can be achieved by visiting malicious web content or exploiting another vulnerability, and then trigger the bug through a specially crafted HTML page that exposes sensitive information such as cookies, local storage, and other confidential data from other domains.

The vulnerability affects all Android installations of Google Chrome versions prior to 148.0.7778.216. Users who have not updated to this or later releases are therefore susceptible.

The EPSS score of less than 1% indicates a very low probability of public exploitation, while the CVSS score of 3.1 and absence from CISA’s KEV catalog reinforce a low overall risk assessment. However, since the attack requires compromising the renderer process, the threat is confined to scenarios where an attacker can inject malicious content that the renderer will process. Once the renderer is subverted, the attacker can read cross‑origin data via the crafted page, compromising confidentiality.