An attacker who has already compromised a Chrome renderer process can craft a malicious HTML page that takes advantage of insufficient validation of the Cross‑Origin-Opener-Policy (COOP) header. The omission in COOP handling allows the attacker to bypass Chrome’s site isolation, potentially exposing data or browser state that should be protected from other origins. This flaw is a classic input validation weakness, identified as CWE‑20.

The vulnerability applies to any Google Chrome installation that is running a version earlier than 148.0.7778.96. No specific build numbers are listed beyond the fact that the issue exists in all releases preceding the mentioned patch; the affected operating systems are all that run Chrome, as the cpe entries indicate support on Mac OS, Linux, and Windows.

The CVSS score of 3.1 indicates a low severity, and the EPSS score is not available so the current likelihood of exploitation cannot be quantified. Because the flaw requires an attacker to first compromise the renderer process, the attack surface is limited to environments where such a compromise is feasible, such as machines with malicious extensions or susceptible to exploitation of another vulnerability. The vulnerability is not listed in the CISA KEV catalog, and no widespread exploitation has been reported, but the potential for cross‑origin data leakage warrants attention.