An inappropriate implementation in the Web Workers component of Google Chrome prior to version 149.0.7827.53 allows an attacker who can serve a specially crafted HTML page to the browser to bypass the same‑origin policy. The flaw permits reading or interacting with data from other origins that should be inaccessible, potentially leading to data theft, credential leakage, or facilitation of further client‑side attacks. The flaw is identified as a medium severity issue within Chromium's own scoring system.

Users with Google Chrome versions older than 149.0.7827.53 are affected. The CVE does not specify the operating system or platform, so that information is not documented; it is inferred that the issue applies to desktop Chrome installations, but the CVE does not explicitly state that. The vulnerability targets the Workers API used for background script execution in the browser and covers all releases in the stable channel before the patched version.

The CVSS score is 6.5, indicating medium severity, while the EPSS score is < 1%, implying low exploitation probability. The issue is not listed in CISA’s KEV catalog. A common attack vector is a malicious web page that the attacker controls; by embedding a worker that accesses cross‑origin resources, an attacker could read sensitive data. No known public exploit is documented, but the vulnerability requires the victim to visit a crafted page and has no additional host‑side prerequisites.