Insufficient policy enforcement in Chrome’s Blink rendering engine lets a remote attacker bypass content security policy directives through a specially crafted HTML page. Based on the description, the flaw causes the browser to ignore or incorrectly apply CSP rules, allowing forbidden inline scripts or external resources to be loaded and executed. This could result in a loss of integrity of the browsing context, potentially enabling malicious code to run with the victim’s privileges.

Users running any version of Google Chrome older than 149.0.7827.53 are affected. Based on the advisory, it is inferred that the vulnerability applies to all platforms covered by the Chrome Stable channel, as no distinctions regarding mobile or beta releases are specified.

EPSS score is less than one percent, and the CVSS score of 4.3 classifies this issue as low‑severity. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. Based on the description, a remote attacker could deliver a specially crafted HTML page over the network to a victim, provoking Chrome to ignore CSP rules. This inferred CSP bypass would allow the attacker to load or execute prohibited inline scripts or external resources within the victim’s browsing context, compromising the integrity of that session without affecting other system resources.