The flaw is an insufficient validation of untrusted input in Chrome’s TabGroups feature, which allows a malicious actor to send crafted network traffic that causes the browser to render spoofed UI elements. Based on the description, it is inferred that this can trick users into interacting with false prompts or content, potentially leading to phishing or other social engineering attacks. The weakness is classified as CWE‑20 and is described as low severity by Chromium’s internal metric.

All desktop builds of Google Chrome with a version number less than 148.0.7778.96 are affected, as the vulnerability is fixed in the 148.0.7778.96 stable update. Users on earlier releases should be aware that the TabGroups feature is vulnerable until they upgrade to 148.0.7778.96 or later.

An attacker would need to deliver malicious network traffic to a victim’s Chrome instance, meaning the attack vector is remote but limited to network communication to an otherwise legitimate browser session. The EPSS score of approximately 0.00053 (<1%) and the lack of listing in CISA’s KEV catalog indicate that large‑scale exploitation has not been observed. Given the low severity rating from Chromium's internal metric, lack of exploit evidence, and a published CVSS score of 5.4, the overall risk remains low, albeit still capable of enabling UI‑based phishing.