A crafted HTML page can cause Google Chrome to automatically download multiple files without prompting the user, bypassing the browser’s built‑in multi‑download protection. This flaw allows an attacker to trigger the acquisition of arbitrary content, potentially including malware or other unwanted files, without the user’s explicit consent. The weakness arises from improper enforcement of download policies, effectively granting the attacker elevated permissions to initiate downloads.

All desktop installations of Google Chrome with versions earlier than 147.0.7727.55 are affected. The issue is not limited to a specific operating system; any platform that runs Chrome in this vulnerable version range can be targeted.

Chromium classifies the severity of this issue as Low and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a malicious web page delivered over the network; an unsuspecting user who opens that page may trigger the automatic downloads. Because the flaw does not provide arbitrary code execution, the risk is moderate, yet it remains a vector for phishing and malware delivery when the user is unaware of the downloads.