An integer overflow in PDFium enables a remote attacker who has already compromised the renderer process to execute arbitrary code inside the Chrome sandbox. The flaw is a classic CWE‑472 situation where miscalculated lengths during font parsing can trigger overflow conditions that bypass memory boundaries. The impact is therefore a full code‑execution privilege escalation within the limited renderer context, which can ultimately lead to system compromise if the sandbox is circumvented or malicious payloads are injected. The vulnerability is rated high severity by Chromium security.

Google Chrome browsers on any platform that are running a version earlier than 148.0.7778.216 are affected. The issue is tied to the PDFium component used for rendering PDF and font files. All users of the stable channel of Chrome before the referenced update are potentially vulnerable.

Exploitability details are quantifiable; the EPSS score is 0.0008, indicating a very low probability that this vulnerability will be leveraged in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack requires that a compromised renderer process be triggered, which typically occurs via a malicious font embedded in a PDF or web page. Therefore, an attacker must first deliver a crafted payload to the user and rely on Chrome’s standard sandboxing. The risk remains high because the vulnerability can lead to arbitrary code execution even within the restricted sandbox, and no remediation is available other than updating the browser. The CVSS score of 7.5 indicates high severity. The likely attack path is through PDF rendering with a crafted font, inferred from the description of the integer overflow.