Impact
An inappropriate implementation of SVG in Google Chrome before version 150.0.7871.47 allows a remote attacker to deliver a crafted HTML page that forces the browser to render user interface elements that spoof the legitimate UI. The result is that a user can be deceived into interacting with a fake dialog, button or form that appears to belong to Chrome, creating the opportunity for credential theft or other phishing‑like exploitation.
Affected Systems
Google Chrome for desktop (Windows, macOS, Linux) versions prior to 150.0.7871.47. The issue affects the stable channel of Chrome and is applicable to any user who runs a pre‑150.0.7871.47 build and visits a crafted web page containing the vulnerable SVG content.
Risk and Exploitability
The vulnerability has a medium severity assessment from Chromium and no known indicated by the lack of a KEV listing and the unavailable EPSS score. The likely attack vector is remote, via an HTTP or HTTPS web page that hosts malicious SVG content, and requires only the victim to load the page in Chrome. Because the flaw does not expose administrative or elevated privileges, its immediate impact is limited to UI deception, but if users unknowingly provide credentials or sensitive data to the spoofed interface.
OpenCVE Enrichment