The flaw is an inappropriate implementation of WebAPKs in Google Chrome on Android before version 149.0.7827.53 that allows a remote attacker to craft a WebAPK that masquerades as a different domain. This domain spoofing can trick users into trusting malicious content, potentially enabling phishing, credential theft, or other attacks that compromise the integrity of web interactions. The weakness represents an improper authorization scenario where the domain identity is not properly validated.

All users running Google Chrome on Android that are on a version earlier than 149.0.7827.53, regardless of device manufacturer, are affected.

The vulnerability is rated as medium severity by Chromium, but no EPSS score is available and the CVE is not listed in CISA KEV, so there is no current evidence of widespread exploitation. It is inferred that the attack vector requires the attacker to deliver a malicious WebAPK, typically through a WebAPK store or OOB installation mechanism. Given the lack of exploitation data, the risk is considered moderate, but the potential impact remains significant if the attacker can successfully fool a target user.