The flaw lies in Chrome’s handling of navigation requests from extensions that have permission to override default navigation policies. An attacker who convinces a user to install a malicious extension can use that extension to bypass restrictions that normally prevent navigation to certain URLs, such as blocked domains or unsafe content. This gives the attacker authorized control over where the user’s browser can navigate, undermining protection against phishing or malware sites.

Google Chrome on all supported platforms is affected in versions prior to 149.0.7827.53; any user running an older version and who installs an untrusted extension is at risk.

Chromium classifies this vulnerability as Medium severity with a CVSS score of 6.5. The EPSS score is less than 1%, and it is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector requires the user to install a malicious extension, meaning attackers must persuade or trick users into installing the extension, often via deceptive web pages or compromised sites. Once installed, the extension can override navigation restrictions, potentially redirecting users to malicious destinations. While the threat is not as high as some zero‑day exploits, it remains a low‑to‑moderate priority risk and should be mitigated promptly by applying the official Chrome update.