A flaw in the PDF implementation of Google Chrome versions prior to 149.0.7827.53 allows an attacker who has already compromised the renderer process to deliver a crafted HTML page that can spoof the user interface. The weakness originates from inadequate input validation, categorized as CWE‑20. This flaw permits the attacker to replace or overlay legitimate UI elements with deceptive ones, potentially misleading users about the content or actions they are interacting with.

Google Chrome browsers of any operating system version earlier than 149.0.7827.53 are affected. The vulnerability is tied to the PDF rendering component present in all standard Chrome releases.

No CVSS score is provided and the EPSS score is unavailable; the issue is not listed in CISA’s KEV catalog. The Chromium severity assessment labels it low. Exploitation requires an attacker to first gain control of the renderer process, after which they can serve malicious PDF content or a website that triggers the UI‑spoofing page. Because the prerequisite of renderer compromise limits the attack surface, the overall risk to typical users is considered low, but the potential for misleading UI remains a concern for environments where user trust is critical.