Inappropriate handling of file downloads in Google Chrome for Windows causes the browser to ignore dangerous file type protections when a malicious file is presented. The flaw, classified as CWE‑20, allows a remote attacker to supply a file that bypasses the browser’s safeguards, enabling the user to open or execute the file. This can lead to remote code execution if the user interacts with the downloaded content, reflecting the medium severity assigned by Chromium.

Google Chrome for Windows on all versions prior to 144.0.7559.59 is affected. The vulnerability exists only on the Windows platform, regardless of the operating system indicated by CPE entries for macOS, Linux, or Windows; however, Chrome on those other platforms is not impacted by this specific flaw. Users should ensure their Chrome installation is updated to 144.0.7559.59 or later to eliminate the issue.

The CVSS base score of 5.4 indicates a moderate risk, while the EPSS score of less than 1 % suggests that exploitation is unlikely to be widespread. The vulnerability does not appear in the CISA KEV catalog, and no commercial exploits are publicly reported. Attackers would need to host a malicious file or compromise a site to deliver it, and a user must download and open the file for the bypass to succeed. Overall, the threat remains moderate in both impact and likelihood.