The vulnerability arises from an inappropriately implemented file input UI in Chrome prior to 149.0.7827.53. When a user opens a crafted HTML page, an attacker can enforce specific gestures that cause the file chooser to appear legitimate, allowing the user to confirm or submit an unintended file. This flaw enables UI spoofing, where the browser’s UI element is mimicked to mislead users into trusting the dialog. The weakness reflects insufficient validation of user interactions with the file chooser.

Google Chrome browsers with a version number earlier than 149.0.7827.53 are affected. The issue is present across the desktop stable channel and applies to all operating systems that run the stable version of Chrome. Versions equal to or newer than 149.0.7827.53 contain the fix.

The CVSS score is not listed in the source data, and the EPSS score is not available. The vulnerability is also not included in the CISA KEV catalog, indicating a low likelihood of widespread, automated exploitation. However, because the attack vector requires a user to open a specially crafted web page and perform guided UI actions, the risk is elevated for individuals who are easily manipulated. The design of the attack relies on social engineering, making it more likely that a targeted user will be tricked into performing the necessary gestures. Consequently, organizations that rely on Chrome for sensitive transactions should monitor for phishing attempts and consider additional UI integrity controls to mitigate potential UI spoofing.