The vulnerability stems from an improper implementation of Custom Tabs in Google Chrome on Android, which enables a local adversary to craft an XML file that triggers privilege escalation. An infected device running a Chrome build older than 149.0.7827.53 could allow an attacker who can place files on the local system to elevate permissions within the browser environment. The flaw is identified with CWE-20 (Improper Input Validation) and CWE-266 (Improper Authorization), and NVD cataloguing indicates an additional CWE classification not explicitly specified (NVD-CWE-noinfo). The CVSS score of 7.3 indicates moderate severity and the vulnerability is associated with a medium‑severity classification by Chromium security.

Google Chrome for Android versions prior to 149.0.7827.53. Devices running affected Chrome builds are susceptible; the flaw does not affect other products or platforms. The vulnerability requires the victim to have a local attacker able to drop a malicious XML file.

Because the attack requires local file placement, the exploit scenario is limited to attackers with physical or local access to the device, such as malicious applications or compromised storage. The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The CVSS score is 7.3; however, the potential for privilege escalation warrants prompt remediation.