An inappropriate implementation of permissions in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to deceive users through a crafted HTML page. The flaw exploits the browser’s permission dialog rendering, enabling UI spoofing where counterfeit dialog boxes or permission requests mimic legitimate Chrome prompts. While no direct data theft or code execution occurs, this manipulation can persuade users to grant permissions or reveal sensitive information, compromising trust and enabling social‑engineering attacks.

All desktop builds of Google Chrome older than version 149.0.7827.53 are impacted, regardless of operating system. The vulnerability is present in every release before that specific version.

The flaw carries a Chromium security severity of Low, and its EPSS score is unavailable. An attacker only needs to provide a malicious web page that the browser will render, meaning the attack can be performed over the network in many environments. It is not listed in the CISA KEV catalog, but the potential for exploitation remains, particularly for phishing campaigns that rely on convincing UI elements.