A flaw in the enforcement of WebAuthentication policy on Android Chrome allows a compromised renderer process to leak data from another origin through a crafted HTML page. The weakness permits an attacker to read cross‑origin data, exposing user information and potentially sensitive session data. The vulnerability is an access‑control related issue that triggers an uncontrolled data disclosure, matching weaknesses such as improper authorization and insufficient input validation.

Google Chrome for Android versions earlier than 149.0.7827.53 are affected. Users running those releases are at risk until updated to the patched version or a later release.

The vulnerability has a low severity rating in Chromium’s internal scoring system and currently has no EPSS value or KEV listing. Exfiltration can only be achieved if an attacker already has control over the renderer process, which limits the potential attack surface to advanced local or remote compromises. The exploit would be straightforward for a process that bypasses policy checks, but overall risk remains modest due to the prerequisite requirement.