Google Chrome on iOS has an insufficient policy enforcement flaw in the Autofill subsystem that lets a remote attacker leak data across origins. A malicious web page can trick the browser into revealing stored form information from other domains. The impact is a breach of confidentiality, as sensitive user data may be exposed to attackers without direct code execution or system compromise. The vulnerability is rated high by Chromium’s internal review.

Version 149.0.7827.53 or later contains the fix. Earlier releases of Google Chrome for iOS before that version are vulnerable. The vulnerability is tied to those Chrome builds for iOS; it is not specifically tied to the underlying OS version or device model. Based on the description, it is inferred that disabling or upgrading Chrome on affected iOS devices resolves the issue.

A user must visit a specially crafted HTML page from a malicious origin for exploitation to succeed; no additional privileges or local code execution are required. Because the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, the likelihood of current exploitation is unknown, though the high severity indicates this should be addressed promptly. The attack vector is remote via the web, and the only required action is for the user to load or be tricked into loading the malicious content. Organizations should treat the vulnerability as a high‑risk data‑exposure risk pending mitigations.