Chromoting in Google Chrome allows a local attacker to bypass discretionary access control by executing a malicious file; this can lead to escalation of privileges on the host system. The vulnerability is an inappropriate implementation that fails to enforce proper file permissions, thereby permitting unauthorized operations. The weakness is characterized by CWE‑284 (Improper Access Control) and CWE‑639 (Account or Resource Discovery). The impact is limited to local systems where an attacker can place a crafted file, as no network component is involved.

Affected systems are users running Google Chrome with a version prior to 148.0.7778.168 on any platform that supports Chromoting. No other vendors or products are listed as impacted, and the only explicit version coverage is the pre‑148.0.7778.168 range.

The vulnerability carries a medium severity rating, with a CVSS score of 5.5 according to Chromium's own assessment. The EPSS score of <1% indicates a very low probability of exploitation. The exploit requires local file placement and execution, making it dependent on user interaction or compromised local processes. Because the vulnerability is not listed in the CISA KEV catalog, there is no evidence of widespread exploitation, but the local nature of the threat means any user with sufficient local access could gain elevated privileges. Updating to the patched Chrome release removes the flaw and is available via the standard stable channel update channel.