Chrome for iOS implements an inappropriate same‑origin policy that allows a remote attacker to supply a crafted HTML page that makes the browser treat content from one domain as belonging to another. This can enable the attacker to read or modify data from pages served under a different origin. The advisory does not explicitly mention data theft or code execution, so the possibility of such impact is inferred from the violation of same‑origin rules.

Google Chrome for iOS versions earlier than 149.0.7827.53 are affected. All releases prior to the fix are vulnerable, while Chrome 149.0.7827.53 and subsequent releases contain the patch.

The EPSS score of less than 1% indicates a very low exploitation probability at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring a user to open a malicious web page in the affected browser; automated exploitation is therefore unlikely. Because the same‑origin policy is bypassed, an attacker could potentially access cross‑origin data, and this risk is inferred but not explicitly confirmed in the advisory. The CVSS score of 4.3 reflects low severity, yet the vulnerability remains a moderate concern in environments where users frequently access sensitive web applications on iOS devices.