MEDIUM 5.4

CVE-2026-10984: Google Chrome Android UI Spoofing Vulnerability – Medium Severity

Google Chrome on Android contains a flaw in how it handles accessibility features that allows attackers to trick users with a fake interface. By hosting a malicious webpage, an attacker can make Chrome display misleading or fraudulent content that mimics legitimate UI elements, potentially deceiving users into performing unintended actions. The vulnerability requires user interaction—specifically, a user must visit the crafted page—but does not require special privileges or complex setup.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-451
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10984 stems from an inappropriate implementation in the accessibility layer of Google Chrome on Android versions prior to 149.0.7827.53. The vulnerability enables UI spoofing attacks through specially crafted HTML pages. The accessibility subsystem's handling of UI elements fails to properly enforce visual boundaries or authenticity checks, permitting remote attackers to overlay or manipulate on-screen interface components visible to end users. This falls under CWE-451 (User Interface (UI) Misrepresentation of Critical Information), a class of flaws where security-relevant information is rendered in a manner that misleads the user about its origin or trustworthiness.

Business impact

For enterprises managing Android devices—particularly BYOD environments or organizations with significant mobile workforces—this vulnerability presents a social engineering vector. Attackers could craft convincing phishing pages that harvest credentials or trick users into authorizing sensitive actions. The impact spans confidentiality (credential theft) and availability (users disrupted by fraudulent prompts), though the vulnerability does not directly enable code execution or data extraction from Chrome itself. Organizations relying on Chrome as a primary mobile browser face elevated risk of credential compromise and user misdirection attacks.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. Desktop and iOS versions of Chrome are not impacted by this specific accessibility flaw. The vulnerability is limited to the Android platform due to differences in how accessibility features are implemented across operating systems. Any Android device running an affected Chrome version—including older devices that may not receive automatic updates—remains at risk until patched.

Exploitability

The vulnerability carries a CVSS 3.1 score of 5.4 (MEDIUM severity) and is network-accessible with low attack complexity. It requires user interaction: a victim must visit a malicious webpage for the attack to succeed. The attack vector does not require authentication or elevated privileges. While the barrier to exploitation is low from a technical standpoint, the practical success rate depends on social engineering effectiveness. The vulnerability is not currently tracked on the CISA KEV catalog, indicating no evidence of active exploitation in the wild at the time of publication.

Remediation

Organizations should prioritize updating Chrome on Android to version 149.0.7827.53 or later across all managed and unmanaged devices. For enterprises: deploy Chrome updates through mobile device management (MDM) tools where available, and communicate the patch urgently to users with personal devices accessing corporate resources. For end users: enable automatic Chrome updates in Google Play Store settings, or manually check Chrome > About Chrome for available updates. Verify successful patch deployment through MDM dashboards or device inventory systems.

Patch guidance

Google released the patch in Chrome version 149.0.7827.53 for Android. Deployment path: Open the Google Play Store app → Search 'Chrome' → If an update is available, tap 'Update' or enable auto-update. IT administrators managing Chrome via Google Play Enterprise or similar deployment systems should push the update to all enrolled devices immediately. Verify patch status by navigating to Chrome Settings > About Chrome, which will display the installed version. No interim mitigations exist; patching is the only remediation. Confirm the targeted version against the official Chromium security release notes to ensure alignment with your deployment infrastructure.

Detection guidance

Detection at the endpoint level is challenging, as the vulnerability manifests through user interaction with rendered content rather than network-level indicators. Security teams should: (1) Monitor Chrome version inventory in MDM solutions to identify unpatched devices; (2) alert users via security awareness communications about UI spoofing risks and how to verify page authenticity before entering credentials; (3) implement email filtering rules to block known phishing campaigns that might exploit this flaw; (4) review user access logs and authentication events for suspicious patterns (impossible travel, unusual login times) that may indicate credential compromise via UI spoofing. Endpoint Detection and Response (EDR) tools cannot detect the vulnerability directly, but may flag unusual Chrome process behavior or credential exfiltration post-exploitation.

Why prioritize this

Although CVSS 5.4 places this in the MEDIUM severity band, the accessibility-layer nature and UI spoofing capability warrant elevated priority for mobile-heavy organizations. The vulnerability is easy to exploit from an attacker's perspective (network-accessible, low complexity) and aligns with common phishing and social engineering tactics. The lack of KEV designation suggests limited current exploitation, but the attack pattern—user-facing fraud—is well-understood and likely to be weaponized once awareness spreads. Organizations with significant Android deployments or high-value mobile users should treat this as a near-term patching objective rather than a routine update cycle task.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects network accessibility and low attack complexity offset by the requirement for user interaction and the limited impact scope (UI manipulation, not code execution). The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L indicates integrity and availability impacts are low in the scoring model because the attack does not breach Chrome's sandbox or corrupt persistent data. However, the *practical* risk to organizations is higher: the vulnerability enables credential theft and unauthorized user actions, which carry significant downstream consequences. Security leaders should weight the accessibility layer's trust implications more heavily than the CVSS score alone suggests.

Frequently asked questions

Does this vulnerability affect Chrome on Windows, macOS, or iOS?

No. CVE-2026-10984 is specific to Google Chrome on Android due to platform-specific accessibility implementation differences. Desktop browsers and Chrome on iOS use distinct accessibility architectures and are not vulnerable to this UI spoofing flaw.

Can this vulnerability be exploited without user interaction?

No. The attack requires a user to visit a crafted webpage. An attacker cannot force the vulnerability remotely; the victim must click a link or navigate to a malicious site. This is reflected in the CVSS vector (UI:R). However, social engineering or malicious advertisements can lower the practical barrier to user interaction.

Is there a workaround if I cannot patch immediately?

There is no reliable workaround. Mitigation options are limited: disable auto-fill for passwords in Chrome settings to reduce credential theft impact if compromised, use a password manager with additional verification steps, and educate users to scrutinize login pages for signs of spoofing. However, patching is the only complete remediation.

Why is this vulnerability not on the CISA KEV list?

CISA adds vulnerabilities to the KEV catalog only when there is evidence of active, in-the-wild exploitation. As of the publication date, there was no confirmed evidence that attackers were actively exploiting CVE-2026-10984. This does not mean the vulnerability is not serious; it indicates limited or no observed exploitation at the time of reporting.

This analysis is based on the official CVE record and Chromium security advisories available as of the publication date. Security researchers and organizations should consult the official Chromium security release notes at https://chromereleases.googleblog.com and vendor advisories for the most current patch guidance and technical details. Patch version numbers and release dates should be verified against official Google sources. This document does not constitute legal advice or guarantee of security; it is provided for informational purposes to support risk assessment and remediation planning. Testing patches in non-production environments before enterprise deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).