MEDIUM 4.3

CVE-2026-11192: Chrome Password Manager UI Spoofing Vulnerability (CVSS 4.3)

Google Chrome's password manager has a flaw that fails to properly check information coming from the network. An attacker can exploit this by sending crafted network traffic to trick the browser's UI into displaying fake or misleading content—for example, mimicking legitimate login prompts or security warnings. The attacker cannot steal data or crash the browser, but they can manipulate what users see, potentially leading to credential theft or social engineering attacks if the spoofed interface convinces users to enter sensitive information.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11192 is an input validation vulnerability (CWE-20) in the Password Manager component of Google Chrome prior to version 149.0.7827.53. The flaw allows insufficient validation of untrusted input received via network traffic, enabling UI spoofing attacks. An unauthenticated remote attacker with network access can craft malicious traffic to trigger the vulnerability. The CVSS 3.1 score of 4.3 (Medium severity) reflects low attack complexity and no special privileges required, but limited impact—the attack affects integrity only (UI manipulation) with no confidentiality or availability impact. This is a network-based attack requiring user interaction.

Business impact

While rated Medium severity, this vulnerability poses a meaningful phishing and social engineering risk. Attackers could spoof password entry dialogs, two-factor authentication prompts, or security warnings to harvest credentials. The attack requires user interaction and a network position to inject malicious traffic, limiting opportunistic mass exploitation but creating targeted risk for users on compromised networks (corporate, public WiFi, ISP-level attacks). Organizations relying on Chrome for workforce browsers should prioritize patching to reduce credential compromise risk, particularly if employees use public networks.

Affected systems

The vulnerability affects Google Chrome on all major operating systems: Windows, macOS, and Linux. Any Chrome installation prior to version 149.0.7827.53 is vulnerable. The listed affected vendors/products (Google Chrome, Apple macOS, Linux kernel, Microsoft Windows) indicate the scope includes Chrome deployments across these platforms. Enterprise environments with mixed OS deployments must patch Chrome on all endpoints.

Exploitability

Exploitability is rated as straightforward (CVSS AV:N, AC:L, PR:N). An attacker requires only network access and user interaction—they must position themselves to intercept or manipulate network traffic (e.g., via compromised WiFi, BGP hijacking, DNS spoofing, or ISP compromise) and then craft malicious traffic that triggers the password manager's UI spoofing. The attack is not in the CISA KEV catalog, suggesting active exploitation in the wild has not been widely documented as of the publication date. However, the low technical barrier and practical value for phishing make it a realistic post-patch risk.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will deliver patches automatically for most users, but verify deployment in managed environments. No workarounds exist; patching is the only mitigation. Organizations should confirm patch deployment across all Chrome instances, including managed deployments via Mobile Device Management (MDM), Group Policy, or endpoint management tools.

Patch guidance

Install Chrome version 149.0.7827.53 or later. For enterprise deployments: verify Chrome auto-update is enabled or use centralized update mechanisms (Google Admin Console for Workspace users, Windows Group Policy for corporate Windows environments, or MDM solutions for macOS and Linux). Test patches in a controlled environment first if your organization maintains custom Chrome policies. Check Chrome's release notes and security advisories at https://chromereleases.googleblog.com/ to confirm patch availability and rollout status. Verify endpoint compliance post-patching.

Detection guidance

Detection is challenging because the attack exploits client-side UI rendering without necessarily leaving obvious network signatures. However, organizations can: (1) monitor network traffic for anomalies on ports used by Chrome (DNS, HTTP/HTTPS) that might indicate traffic interception or injection; (2) review endpoint logs for Chrome process behavior, though spoofing attacks may not trigger crash reports; (3) educate users to scrutinize password manager prompts—legitimate Chrome password managers display consistently styled dialogs without external network requests visible to users; (4) deploy network segmentation and encrypted DNS (DoH) to reduce the likelihood of traffic interception; (5) monitor for suspicious login patterns (failed logins followed by success from a new device/location immediately after user reports seeing unusual login prompts) that may indicate credential compromise via spoofing.

Why prioritize this

This vulnerability merits prompt but not emergency patching. Medium CVSS severity, limited impact scope (UI integrity only), and lack of KEV listing suggest it is not actively exploited at scale. However, prioritize patching if: (1) your organization operates in a high-risk network environment (corporate networks, public WiFi-heavy workforce, regions with ISP-level filtering); (2) users handle sensitive credentials via Chrome password manager; (3) your organization manages Chrome centrally and can quickly validate and deploy patches. Standard patch cycles (weekly or monthly) are acceptable if users are educated to be suspicious of unusual password manager prompts.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects: Attack Vector Network (attacker needs no physical access), Attack Complexity Low (straightforward to exploit once positioned), Privileges Required None (no authentication needed), User Interaction Required (user must interact with the spoofed UI), Scope Unchanged (impact limited to the vulnerable component), Confidentiality None (data not disclosed), Integrity Low (UI can be manipulated), Availability None (no denial of service). The Medium severity is appropriate—realistic attackers can exploit this via network positioning and social engineering, but the impact is credential theft through deception rather than direct system compromise. The attack requires both network capability and user action, preventing trivial mass exploitation.

Frequently asked questions

Can this vulnerability be exploited without the user seeing anything unusual?

No. The vulnerability requires user interaction—an attacker must trick the user into interacting with the spoofed UI (e.g., entering credentials into a fake password dialog). Users who carefully examine password prompts for inconsistencies or who are using Chrome's built-in password manager on a trusted network are at lower risk.

Does this affect Chrome on mobile devices?

The description and CVE details provided reference Chrome on major operating systems including Linux, Windows, and macOS. Chrome on Android and iOS may or may not be affected; verify against Google's official Chrome security update documentation and mobile platform release notes for definitive status.

If my organization uses a different password manager (e.g., Dashlane, 1Password), am I affected?

No. This vulnerability is specific to Google Chrome's built-in Password Manager component. Third-party password managers are not affected. However, users may still have Chrome's password manager enabled in parallel; disabling it is an option if you want to force use of a third-party solution.

What is the difference between this vulnerability and a typical phishing attack?

A typical phishing attack uses a fake website or email to trick users into visiting a malicious page. This vulnerability allows an attacker to fake the UI *within* Chrome itself—for example, by spoofing the password manager's dialog or other security UI elements. This is more convincing because the user sees the spoofed interface in the context of Chrome's legitimate UI, making it harder to distinguish from reality.

This analysis is based on the published CVE description, CVSS vector, and related metadata as of the modification date (2026-06-17). Patch version numbers, affected product versions, and vendor advisories must be verified against official Google Chrome security advisories and release notes at https://chromereleases.googleblog.com/. Exploit details, proof-of-concept code, or weaponized attack techniques are not provided. Organizations should conduct their own risk assessment based on their network environment, user behavior, and Chrome deployment practices. This intelligence is for informational purposes and should not be used as a substitute for professional security assessment or vendor guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).