The vulnerability arises from insufficient policy enforcement in Google Chrome’s browser user interface. A remote attacker who has already compromised the renderer process can craft a malicious HTML page that mimics legitimate UI elements, enabling UI spoofing. The flaw is rated medium severity by Chromium security.

Affected releases are the desktop versions of Google Chrome older than 147.0.7727.55. The issue is noted in the stable channel update for that version, and the references point to the official Chrome release notes.

Exploitation requires the renderer process to be compromised, a condition that already indicates a significant breach. With that prerequisite, the attacker can perform spoofing to deceive users into revealing sensitive information or executing unintended actions. Because the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, the overall exploitation probability is uncertain, but the medium severity suggests a moderate risk that warrants timely patching.