This vulnerability arises from insufficient enforcement of enterprise policies within Chrome's DevTools, permitting a crafted malicious extension to bypass host restrictions on cookie modification. It affects Chrome versions before 147.0.7727.55. The issue is classified under CWE-602 (Improper Restriction of XML External Entity Reference). The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. The vendor advisory URL is provided but does not explicitly state patch or remediation details.

An attacker who convinces a user to install a malicious Chrome extension can bypass enterprise host restrictions to modify cookies, potentially impacting the integrity of user sessions or enterprise policy enforcement. There is no impact on confidentiality or availability. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html for current remediation guidance. Until official fixes are confirmed, users and administrators should exercise caution when installing Chrome extensions, especially from untrusted sources, to prevent exploitation.