The flaw resides in the enforcement of Subresource Integrity, allowing a remote attacker to supply malicious network traffic that can subvert an otherwise valid integrity check. This bypass enables execution of arbitrary code or content as if it were delivered by a trusted source, undermining the content‑security policy that browsers use to guard against cross‑site scripting and other injection attacks. The weakness is a classic example of insufficient input validation (CWE‑20) and failure‑to‑enforce policy (CWE‑354).

Google Chrome browsers running any version prior to 149.0.7827.53 are affected. The vulnerability exists in the stable release channel and is fixed in the patch that ships with Chrome 149.0.7827.53. Users on other channels or older major releases remain vulnerable until they upgrade. No other vendors or products are listed as impacted.

Because the attack vector relies on manipulating network traffic that the browser receives, an adversary only needs to deliver crafted responses to a vulnerable client. The vulnerability is not marked in the CISA KEV catalog. The EPSS score is < 1%, indicating a very low probability of exploitation and that public attacks are not yet documented. The CVSS score of 6.5 indicates the vulnerability is of medium severity. However, given the impact on confidentiality and integrity, the overall risk is elevated for systems that rely on strict CSP enforcement. Without a patch, the flaw could be leveraged to inject malicious code into trusted web pages. Current mitigation efforts should treat this as a medium‑severity risk pending an update.