An insecure implementation in the Payments component of Google Chrome on Android allowed a remote attacker, after compromising the renderer process, to serve a crafted HTML page that could fool a user into believing they were interacting with a legitimate domain. The flaw enables domain spoofing, potentially facilitating phishing and credential theft, without directly granting code execution or full system compromise. This flaw correlates with CWE-290 and CWE-451, reflecting improper certificate validation and failure to notify on dangerous errors, and CWE-1021, indicating an insecure implementation allowing disallowed values practice. The weakness aligns with improper trust of input leading to user deception rather than traditional injection or privilege escalation. In short, an attacker could make a user think they are on a genuine vendor site when they are not, eroding confidentiality and user trust.

Google Chrome on Android versions prior to 149.0.7827.53 are affected. Based on the description, it is inferred that any device running an older stable channel version of Chrome for Android may be vulnerable unless patched to 149.0.7827.53 or later.

The CVSS score of 6.5 indicates Medium severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to already have compromised the renderer process, a relatively high-privilege state within the browser. Consequently, while the impact is significant (domain spoofing can lead to credential compromise), the overall risk is moderate. Attackers would typically need a separate vulnerability or user‑run malware that gains renderer control before leveraging this flaw.