The flaw lies in an incorrect security user interface within Chrome’s Omnibox on Android. A crafted HTML page can cause the browser to display a spoofed URL bar, enabling a remote attacker to trick users into believing they are interacting with a legitimate site. This can lead to phishing or credential harvesting, compromising the user’s trust and possibly confidentiality. The weakness is an improper visualization of the Omnibox which represents a user interface spoofing issue.

Google Chrome for Android releases prior to version 147.0.7727.55 are affected. Any device running a browser instance before that build could be vulnerable to the spoofing attack.

The vulnerability has a low severity rating and is not listed in the CISA KEV catalog. The exploit requires a remote attacker to serve or host a crafted web page that the victim visits; no additional local privileges are needed. The likelihood of exploitation remains uncertain due to missing EPSS data, but the attack vector is remote and straightforward, making it potentially exploitable if users visit malicious sites.