The FoldableAPIs component of Google Chrome implements functionality that, before version 149.0.7827.53, contains an inappropriate construction that allows a remote attacker who has already compromised the renderer process to bypass site isolation. The flaw is a misuse of security controls that normally enforce process isolation for each site, corresponding to CWE‑1140—Incorrect Use of Security Features. While the Chromium team rates this issue as low severity, it still permits isolation break between sites, exposing data from other tabs or sites that share the same process space.

Google Chrome browsers less than version 149.0.7827.53 are affected. This encompasses all desktop installations running those legacy builds.

Exploitation requires compromising the renderer process, typically through a malicious site that has already bypassed normal protection mechanisms. Once renderer control is achieved, the attacker can serve a crafted HTML page to the vulnerable component and force Chrome to treat remote content as part of the same site. Because the EPSS score is unavailable and the vulnerability is not listed in CISA KEV, the potential for widespread exploitation is currently low, though the impact on isolation between tabs remains significant. The low Chromium severity suggests that the overall risk to system integrity is modest but isolation boundaries can be broken.