Insufficient validation of untrusted input within Chrome's Reader Mode on Android allows a local attacker to supply a crafted malicious file that bypasses navigation restrictions. The flaw can cause the browser to open arbitrary URLs that would normally be blocked, potentially leading to unintended content being displayed or executed within the Read Mode context. Because the vulnerability is limited to locally accessible files, it is considered a low‑severity issue under Chromium's internal scoring.

Google Chrome on Android versions earlier than 149.0.7827.53 are affected. The flaw resides in Reader Mode, a feature that converts web pages into reader‑friendly layouts, and specifically in the handling of local files that a user may open. All Android users running an affected Chrome release could be impacted if they enable Reader Mode for local documents.

The attack requires local access to a device and the ability to supply a malicious file to the browser, resulting in an attacker‑controlled navigation. Because it may lead to navigation to arbitrary content, the risk surface is largely confined to the user’s own session. The vulnerability is not listed in the CISA KEV catalog, and the EPSS score of < 1 % indicates that widespread exploitation is unlikely. The CVSS score of 7.7 signals a high severity issue, and the best practice is to apply the official fix by updating Chrome to version 149.0.7827.53 or newer.