An inadequate implementation in Page Info in Google Chrome for Android allows a remote attacker who has already compromised the renderer process to bypass navigation restrictions by delivering a crafted HTML page. The flaw does not grant arbitrary code execution but permits the attacker to redirect or open URLs the user should not be able to access, potentially facilitating phishing or other deceptive interactions. The impact is largely limited to the compromised renderer’s context and does not directly expose the operating system or other processes. The CVSS score of 6.5 indicates a medium severity for this vulnerability.

Google Chrome on Android versions prior to 149.0.7827.53 are affected. The vulnerability is present on the Android stable channel and any device running a Chrome installation older than the specified version. No other vendors or product variants are listed.

The CVSS score of 6.5 indicates a medium severity, and the EPSS score is less than 1%, with the vulnerability not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires the attacker to first compromise the renderer process through a local or privilege‑escalation vulnerability or an elevated app; thus the likely attack vector is a local exploit that enables renderer control. Because of that prerequisite, the attack vector is limited and the likelihood of successful exploitation in the wild remains low. Nonetheless, the presence of this weakness underscores the importance of keeping browsers patched and correctly sandboxed.