An insufficient validation of untrusted input in WebSockets allows a remote attacker who has already compromised a Chrome renderer process to bypass the same‑origin policy using a crafted HTML page. The attacker can therefore access or manipulate resources that belong to other origins, which may lead to unauthorized data disclosure or modification. The vulnerability is identified as a low‑severity issue in Chromium, suggesting that the exploitation complexity is moderate but the potential impact on confidentiality exists.

Google Chrome versions prior to 147.0.7727.55 are affected. The issue does not apply to later releases that include the patched WebSocket input validation logic.

Exactly how often this vulnerability is exploited is unknown because no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The CVSS assessment marks it as low severity, indicating that the overall risk is modest. Exploitation requires a two‑stage attack: first a compromise of the renderer process, then delivery of a crafted web page that triggers the WebSocket validation flaw. Because both prerequisites are non‑trivial, the likelihood of a widespread attack is considered low, but organisations with critical applications in Chrome should treat it with caution.