The vulnerability is an insufficient validation of untrusted input in the OptimizationGuide component of Google Chrome. An attacker who has compromised the browser’s renderer process can load a specially crafted HTML page that causes the interface to display false information or misleading graphics, enabling phishing or other forms of user deception. The flaw does not allow arbitrary code execution but permits a malicious entity to subvert the user’s trust in the browser’s UI. The flaw is associated with CWE-20 and CWE-1289.

All installations of Google Chrome with versions prior to 148.0.7778.216 are affected. This includes the stable channel and any builds that have not been updated to that specific revision or newer, across all operating systems supported by Chrome.

The flaw is rated high by Chromium’s engineering team and is listed with CWE-20 and CWE-1289. Because the renderer process is involved, an attacker must first be able to host content in a renderer or otherwise compromise it. External exploitation would require the attacker to lure a user to a malicious web page that runs within a compromised renderer. The CVSS score is 4.2, and the EPSS score is < 1%; the vulnerability is not in CISA’s KEV catalog. The high severity designation and the UI‑spoofing impact mean that the potential for phishing attacks or social engineering is significant, particularly in environments where users interact with sensitive data via Chrome.