The flaw lies in the Autofill component of Google Chrome. A remote attacker can construct a web page that causes the browser to display sensitive autofill data that belongs to a different origin, effectively leaking that information. The vulnerability is an information‑disclosure flaw that allows the attacker to read data that should be protected by the same‑origin policy.

Google Chrome versions older than 149.0.7827.53 are vulnerable. The issue was reported in Chromium before the release of version 149.0.7827.53, which includes the fix. Any system running a pre‑149.0.7827.53 build of Chrome could be impacted, regardless of the underlying operating system.

The Chromium security team rates this bug as low severity, and it is not listed in the CISA KEV catalog. No EPSS score is available, but the lack of a published exploit suggests a low exploitation probability. An attacker would need to host a malicious web page and lure a user of the affected browser to visit it. While the vulnerability does not allow arbitrary code execution or denial of service, the data leakage could be damaging in a phishing or credential‑replay context.