To use an inappropriate implementation in the Speech feature of Google Chrome versions before 148.0.7778.96, a remote attacker can craft a malicious HTML page that causes the browser to display spoofed user interface elements. The vulnerability allows the attacker to mislead users into interacting with a fraudulent interface that appears to belong to a legitimate application, potentially enabling phishing, credential theft, or deceptive interactions. The weakness is a kind of input validation or output handling failure, which can be abstracted as an information disclosure and user interaction flaw.

All users running Google Chrome prior to version 148.0.7778.96 are affected. This includes all stable channel releases on desktop platforms that have not yet applied the update that fixes the Speech API handling bug.

The vulnerability has a CVSS score of 5.4, indicating a medium severity. No EPSS score is reported, and it is not listed in CISA KEV. Attackers can exploit the flaw remotely by instructing a victim to load a specially crafted web page. The attack requires only a malicious HTML page and no additional privileges; the victim must visit the page in a vulnerable Chrome instance. With current data, the risk is moderate but could be elevated if exploitation proof‑of‑concepts appear.