The vulnerability originates from insufficient validation of untrusted input within the Reading List feature of Google Chrome on iOS. An attacker can craft a malicious HTML page that, when a user performs specific UI gestures, bypasses protection mechanisms and gains the ability to elevate privileges on the device. This flaw is classified as a CWE-20 input validation weakness, allowing attackers to exploit the application’s failure to properly sanitize user input.

Google Chrome users on iOS devices running any Chrome version prior to 149.0.7827.53 are susceptible. The issue specifically targets the Reading List functionality available in the Chrome browser and affects all deployments of Chrome on iOS before the indicated patch version.

The exploit requires convincing a user to interact with a crafted web page; thus, it is a user-dependent attack vector. No public exploit or zero‑day package is known, and the CVE is not listed in CISA’s KEV catalog, implying a limited, low–severity footprint at this time. However, because the flaw can result in privilege escalation, organizations that rely on Chrome for critical browsing should treat this as a potential risk, particularly in environments where untrusted web content is frequently accessed. The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation.