A security flaw in the Paint component of Google Chrome enables a remote attacker to craft an HTML page that circumvents the browser’s same‑origin policy. The inability to enforce the policy correctly means that a page served from one origin can read or manipulate resources from a different origin that the user should not have access to. This creates a confidentiality and integrity risk by potentially exposing sensitive data or allowing further malicious code execution. The vulnerability is categorized with Chromium security severity Medium.

The defect exists in Google Chrome on all platforms with versions older than 149.0.7827.53. Users running any pre‑149.0.7827.53 build are affected; Chrome updates after that revision contain the fix.

The level of exploitation appears to involve only the delivery of a malicious HTML page rendered in the victim’s browser, indicating a local, in‑browser attack vector that requires the user to open the page. The Chromium severity is listed as Medium and no EPSS score is available, suggesting limited evidence of active exploitation. The vulnerability is not part of the CISA KEV catalog. Based on the description, the attacker would need to entice a user to load the crafted page, after which the same‑origin policy bypass could be leveraged to access or transmit protected resources.