The flaw is an instance of CWE‑20, an insufficient input validation weakness, and also aligns with CWE‑79 (cross‑site scripting) due to an improper handling of untrusted media that results in rendered HTML-like content. The vulnerability affects Google Chrome’s media subsystem. A malicious web page can craft untrusted media input that, when processed by a renderer process the attacker has already compromised, displays an interface that mimics legitimate UI elements. This UI spoofing can trick users into interacting with fake controls, and based on the description, it is inferred that an attacker could use the spoofed interface to capture credentials or other sensitive information. The vulnerability has a CVSS score of 8.3, classifying it as high severity and indicating that the impact extends beyond mere deception to potentially significant loss of user trust and exposure of sensitive data.

All desktop users of Google Chrome running versions earlier than 149.0.7827.53 are affected. The issue applies to the rendering process of Chrome’s media subsystem and is not restricted to a particular operating system.

The EPSS score is <1% and the vulnerability is not listed in CISA’s KEV catalog. The exploit requires that the attacker already has a foothold in the renderer process, typically via malicious web content or compromised extensions, and is able to serve crafted media that triggers the flaw. Because of this pre‑condition, the practical likelihood of exploitation is low, and the attack vector is a remote web‑based attack that benefits from an existing renderer compromise.