The vulnerability originates from an incorrect security UI implementation in the LookalikeChecks component of Google Chrome on Android. The flaw permits a remote attacker to craft a malicious HTML page that causes the browser to display counterfeit interface elements, effectively spoofing the user interface. This allows social engineering attacks where users could be misled into providing sensitive information or performing unintended actions. The underlying weakness is a failure to enforce proper UI boundaries, corresponding to Weak Boundary Protection (CWE‑451). The impact is limited to user misdirection; there is no evidence of code execution or direct system compromise.

Affected products are Google Chrome for Android versions prior to 146.0.7680.71. The vendor advisory and issue tracker both indicate that the flaw only exists in the Android build; no other operating systems or Chrome desktop versions are listed as affected.

The CVSS score of 4.3 places the issue in the Medium severity range. The EPSS score of less than 1% indicates a low probability of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote and web‑based: an attacker only needs to host a page containing the crafted HTML content and convince a user to visit it. Successful exploitation does not require local privileges or additional background checks beyond traffic to the malicious site.