Insufficient policy enforcement in Google Chrome's Password Manager allowed a remote attacker, who had already compromised the renderer process, to bypass site isolation by serving a specially crafted HTML page. This flaw enables the attacker to gain access to data or actions belonging to other sites within the same browsing session, potentially exposing sensitive information or allowing further malicious activity. The vulnerability is flagged as Medium severity by Chromium's internal review, indicating that while it does not provide direct code execution, it undermines a critical isolation boundary in the browser. Accordingly, the primary impact revolves around confidentiality and integrity violations rather than availability.

All users of Google Chrome on desktop platforms running any version prior to the latest security patch are affected. The Chrome stable channel update that includes this fix was released at Chrome version 149.0.7827.53, and users should upgrade to this or a later revision to eliminate the vulnerability.

Because the exploit requires the attacker to first compromise the renderer process—typically through a local or remote flaw—its immediate risk depends on the presence of other entry points into the renderer. The EPSS score is < 1%, and the issue is not listed in CISA's KEV catalog, indicating a relatively low baseline exploitation probability. Nonetheless, the CVSS score of 8.1 (high severity) combined with the potential for cross‑site data exposure highlights that any environment where compromised renderer processes are possible requires prompt remedial action. The attack vector is inferred to be remote through a crafted HTML page that exploits the Password Manager's policy enforcement flaw, operating from within an already‑privileged renderer context.