Inappropriate implementation in the Android WebView component of Google Chrome allowed a remote attacker to construct a crafted HTML page that could read cross‑origin data, thereby exposing sensitive information to an unauthorized party. The flaw is cataloged as CWE-474 and CWE-346. This vulnerability permits the attacker to gain unintended access to data from other origins, compromising the confidentiality of those resources. The weakness is classified as a medium‑severity flaw according to Chromium’s internal severity assessment.

Google Chrome for Android versions prior to 149.0.7827.53 are affected. The flaw exists specifically in the WebView functionality used by Chrome, and therefore any Android device running one of the listed versions may be vulnerable if it hosts or allows execution of the malicious HTML page.

The vulnerability is exploitable remotely through a crafted web page, implying that an attacker needs only to entice a user to visit or load the page. The EPSS score of < 1% indicates a very low but nonzero probability of exploitation, while the CVSS score of 6.5 classifies the flaw as medium. The lack of a KEV listing suggests no widespread exploitation has been reported to date. The medium severity rating indicates the impact is significant but not catastrophic, and the attack is feasible up to the availability of a patch.