The vulnerability, classified as CWE-125, is an out‑of‑bounds read that occurs during WebGL operations in Google Chrome on Android. This flaw enables a remote attacker to read memory outside the intended bounds and leak data that it should not be able to access. The attacker can trigger the flaw by serving a maliciously crafted HTML page, and the compromised data may include sensitive information from other web origins, effectively bypassing the browser’s same‑origin policy. As a result, the primary impact is the disclosure of confidential data to a malicious actor.

Google Chrome for Android is affected only when the browser version is older than 148.0.7778.216. Any Chrome build before that revision is susceptible; all newer releases include the patch that eliminates the out‑of‑bounds read.

The vulnerability has a CVSS score of 4.3, indicating low severity, though the Chromium security scale still rates it as high. The EPSS score is < 1%, indicating a very low probability of exploitation, and it is not listed in the CISA KEV catalog, suggesting it has not yet been widely reported or observed in the wild. The attack vector requires the victim to open a maliciously crafted page in Chrome, so active user interaction is needed. Detection of exploitation would be through anomalous memory access patterns within WebGL contexts. Due to the absence of automated landscape coverage data, the exact likelihood of exploitation remains uncertain, but the potential for data leakage warrants immediate attention.