Impact
The vulnerability is an input validation flaw (CWE-20) that allows a remote attacker to manipulate user input in Chrome for iOS. By presenting a specially crafted HTML page and convincing a user to perform specific UI gestures, the attacker can bypass the browser’s navigation restrictions. This can enable the unintended loading of malicious sites or content, potentially leading to phishing or social engineering attacks.
Affected Systems
Affected vendor: Google. Product: Chrome for iOS. Versions prior to 150.0.7871.47 are susceptible. No other versions were listed as affected.
Risk and Exploitability
The exploit requires remote delivery of a malicious page and social engineering to persuade the user to perform a gesture, so active user interaction is a prerequisite. The EPSS metric is not available and the vulnerability is not listed in the CISA KEV catalog. Chromium rates the severity as Medium, which suggests a moderate risk if the user follows the attack instructions. The attack path therefore is feasible but not blastable, making patching and user awareness appropriate mitigations.
OpenCVE Enrichment