Insufficient policy enforcement in the Network component of Google Chrome prior to build 149.0.7827.103 allowed a remote attacker who had already compromised the utility process to craft an HTML page that leaks cross‑origin data. The vulnerability enables unauthorized disclosure of sensitive information that originates from other origins, potentially exposing session data, user credentials, or other confidential content. The nature of the weakness aligns with an information exposure flaw, as reflected in CWE-693.

The affected vendor is Google and the product is Chrome. Any Chrome release earlier than 149.0.7827.103 is vulnerable. Versions 149.0.7827.103 and later are not impacted.

The exploit requires a prior compromise of the utility process, making the initial foothold critical for success. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, publicly known exploitation has not been reported. Nonetheless, the vulnerability carries a low severity rating, although Chromium's internal assessment marked it as high severity. The most likely attack vector is a remote attacker who can run code in the utility process, then locally deliver a crafted HTML page to the browser to read cross‑origin data. Given the low severity and need for initial compromise, the risk is moderate for systems where the utility process is exposed.