An inappropriate implementation in the Safe Browsing component of Google Chrome for macOS lets a remote attacker run arbitrary code by delivering a malicious file. The description indicates that the flaw exists in the file handling logic, and it is inferred that a user must open or otherwise interact with the malicious file for the exploit to trigger. Despite being marked low severity in Chromium’s internal tracking, the vulnerability grants full control over the affected system, threatening confidentiality, integrity, and availability.

The issue affects Google Chrome on macOS versions earlier than 149.0.7827.53. Users running any older build of Chrome on macOS who receive and open a specially crafted file are exposed to the flaw. The product is Google Chrome, and the vulnerability is tied specifically to the Safe Browsing feature of the browser.

The EPSS score is < 1% and, with a CVSS score of 8.1, the vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of active exploitation at the time of this analysis. Nevertheless, the likely attack vector requires an attacker to supply a malicious file and convince the target user to open it, making user interaction a prerequisite. Once triggered, the vulnerability allows full code execution within the browser process. Because the bug lies in Safe Browsing, routine file downloads or URL handling exposes the attack surface, but the exploit is not automatic and depends on user actions.