Based on the description, it is inferred that the attacker must first present a malicious web page to the user and then coerce them into performing specific UI gestures to enable UI spoofing. Inappropriate implementation in the Payments component of Google Chrome before version 149.0.7827.53 allows a remote attacker to coax a user into performing specific user interface gestures that ultimately enable UI spoofing. By serving a crafted HTML page, an attacker can alter or mimic the visual representation of the Payments UI, potentially deceiving the user into believing they are interacting with a legitimate transaction interface. The flaw aligns with CWE‑1021, which concerns incorrect UI design that misleads users. The official Chromium severity is Medium, indicating that while the flaw does not provide unrestricted code execution, it can materially affect user trust and privacy.

The vulnerability affects all desktop installations of Google Chrome versions earlier than 149.0.7827.53. Users of the stable Chrome channel and any distribution that has not applied the June 2026 update are exposed.

The EPSS score of < 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.2 indicates moderate severity. Based on the description, attacks require the user to follow a specific UI gesture sequence after viewing a malicious page, indicating a reliance on social engineering to achieve exploitation. The required user interaction and moderate severity suggest a moderate risk level that can be mitigated by applying the official update.