The vulnerability is a policy bypass in the download manager of Google Chrome prior to version 147.0.7727.55. A crafted HTML page can cause the browser to ignore the multi‑download protection that normally limits the number of simultaneous downloads. This could let an attacker trigger multiple downloads without user consent, potentially consuming bandwidth, violating privacy, or enabling other secondary attacks. The weakness is related to failures to enforce download policy (CWE‑693) and improper handling of untrusted content (CWE‑807).

Google Chrome browsers on Windows, macOS, and Linux that are older than version 147.0.7727.55 are affected. The issue applies to all platforms where Chrome is installed, as the policy enforcement flaw resides in the core download logic rather than operating‑system specific code.

The CVSS score of 4.3 indicates a low severity, and the EPSS score of less than 1% suggests a very low probability that the vulnerability is actively exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a remote attacker to host a specially crafted HTML page and to convince a user to load the page, implying the attack vector is likely user‑initiated phishing or social engineering. Given the low impact and limited exploitability, the risk to most organizations is modest, but it remains a security consideration for environments that enforce strict download policies.