An insecure implementation in the Payments component of Google Chrome on Android allowed a remote attacker, after compromising the renderer process, to serve a crafted HTML page that could fool a user into believing they were interacting with a legitimate domain. The flaw enables domain spoofing, potentially facilitating phishing and credential theft, without directly granting code execution or full system compromise. The weakness aligns with improper trust of input leading to user deception rather than traditional injection or privilege escalation. Simply put, an attacker could make a user think they are on a genuine vendor site when they are not, eroding confidentiality and user trust.

Google Chrome on Android versions prior to 149.0.7827.53 are affected. Any device running an older stable channel version of Chrome for Android may be vulnerable unless patched to 149.0.7827.53 or later.

The CVSS assessment is marked as Medium, and the EPSS score is currently not available, suggesting no data on exploitation frequency. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to already have compromised the renderer process, a relatively high-privilege state within the browser. Consequently, while the impact is significant (domain spoofing can lead to credential compromise), the overall risk is moderate. Attackers would typically need a separate vulnerability or user to run malware that gains renderer control before leveraging this flaw.