The vulnerability is a classic use‑after‑free bug (CWE‑416) combined with an uninitialized memory use (CWE‑825) in the Bluetooth handling code of Google Chrome on macOS. An attacker, who can persuade a user to install a malicious Chrome extension, can trigger the‑after‑free through the Bluetooth subsystem and use the uninitialized memory to execute arbitrary code at the user’s privilege level. This flaw directly enables remote code execution, allowing an attacker to compromise the confidentiality, integrity, or availability of the user’s data and system.

Google Chrome running on macOS versions prior to 148.0.7778.216 are affected. The CNA confirmation places the bug within the Chrome release 148 line; all earlier builds are vulnerable. No other operating systems or browsers are listed as impacted in the current data. The fix is already incorporated into Chrome 148.0.7778.216 and later releases.

The EPSS score of 0.009% indicates a very low, but non‑zero chance of exploitation. The vulnerability is not currently in the CISA KEV catalog, indicating it has not yet been exploited in the wild or at least has not been formally reported as such. Exploitation would still require social engineering to convince a user to install a malicious extension, followed by an action that triggers the vulnerability through the Bluetooth subsystem. Should an attacker succeed, arbitrary code would run with the privileges of the Chrome process, enabling malware installation, data theft, or further lateral movement. Until a patch is applied, the risk remains that a targeted user may be compromised.