The flaw resides in the enforcement of Subresource Integrity, allowing a remote attacker to supply malicious network traffic that can subvert an otherwise valid integrity check. This bypass enables execution of arbitrary code or content as if it were delivered by a trusted source, undermining the content‑security policy that browsers use to guard against cross‑site scripting and other injection attacks. The weakness is a classic example of insufficient input validation and failure‑to‑enforce policy (CWE‑20).

Google Chrome browsers running any version prior to 149.0.7827.53 are affected. The vulnerability exists in the stable release channel and is fixed in the patch that ships with Chrome 149.0.7827.53. Users on other channels or older major releases remain vulnerable until they upgrade. No other vendors or products are listed as impacted.

Because the attack vector relies on manipulating network traffic that the browser receives, an adversary only needs to deliver crafted responses to a vulnerable client. The vulnerability is not marked in the CISA KEV catalog and no EPSS score is available, indicating that publicly known exploitation is not documented. However, given the high impact on confidentiality and integrity, the overall risk is elevated for systems that rely on strict CSP enforcement. Without a patch, the flaw could be leveraged to inject malicious code into trusted web pages. Current mitigation efforts should treat this as a medium‑severity risk pending an update.