MEDIUM 4.3

CVE-2026-11221 Chrome PointerLock UI Spoofing Vulnerability: Patch Guidance

A weakness in Google Chrome's PointerLock feature allows a threat actor who has already gained control of the browser's renderer process to deceive users through fake on-screen elements. The attacker would craft a malicious HTML page that tricks the browser into displaying misleading UI, potentially impersonating legitimate interface elements. This requires the renderer process to be compromised first, making it a secondary attack that typically follows another successful exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in PointerLock in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11221 stems from insufficient input validation in Chrome's PointerLock implementation prior to version 149.0.7827.53. The PointerLock API is designed to lock the mouse cursor to a specific element, commonly used in games and immersive web experiences. The vulnerability allows an attacker with renderer process compromise to bypass validation checks and inject or manipulate UI elements through crafted HTML, creating conditions for UI spoofing attacks. The issue is classified as CWE-20 (Improper Input Validation).

Business impact

While the Chromium security team rates this as Low severity, the CVSS v3.1 score of 4.3 reflects its limited direct impact. The business risk is primarily to user trust and potential phishing amplification: if an attacker has already compromised a renderer process, they can layer UI spoofing on top to redirect users to fraudulent login pages or capture sensitive input. Organizations should monitor for evidence of renderer process compromises, as those are the true indicators of elevated risk. For most enterprises, this is a routine patch item rather than an emergency response driver.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability affects Chrome on Windows, macOS, and Linux. While the vendor list includes references to the host operating systems (Windows, macOS, Linux kernel), the vulnerability itself is Chrome-specific; the OS is listed only because Chrome runs on those platforms. Organizations running Chrome on any of these operating systems should prioritize patching.

Exploitability

Exploitation requires a multi-step attack chain: first, the attacker must compromise the browser's renderer process through a separate vulnerability or attack. Only then can they leverage this PointerLock flaw to craft malicious HTML that performs UI spoofing. The requirement for prior renderer compromise significantly raises the bar for opportunistic attackers. The attack does require user interaction (clicking or interacting with the spoofed UI), but that is often trivial once the UI deception is in place. CVSS factors reflect this: network-accessible (AV:N), low attack complexity (AC:L), but still requiring user interaction (UI:R).

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will typically handle this without user intervention; however, users on managed enterprise environments should verify the update has deployed. No workarounds mitigate the underlying validation flaw, though disabling PointerLock-dependent applications or extensions until patching is complete provides temporary risk reduction.

Patch guidance

Deploy Chrome version 149.0.7827.53 or later across your environment. If you manage Chrome through a centralized control system (Google Admin Console, Microsoft Intune, or similar), update your deployment policies to enforce the minimum version. For organizations with Chrome pinning policies, adjust your pinned version. Monitor Chrome update channels (Stable, Beta, Dev) to confirm rollout. Most users on auto-update will receive this patch automatically within days of release; prioritize verification for offline or restricted-update endpoints.

Detection guidance

Monitor Chrome version inventory across your endpoints to identify machines still running pre-149.0.7827.53 versions. Check the About Google Chrome menu on target machines, or use endpoint management tools to report Chrome version compliance. Look for any browser process crashes or renderer process terminations, which might indicate exploitation attempts. If you suspect renderer process compromise, elevated Chrome process CPU or memory usage, or suspicious network connections from the Chrome process should trigger incident investigation.

Why prioritize this

Patch this vulnerability as part of your regular Chrome update cycle, but not as an emergency. The requirement for prior renderer process compromise makes this a secondary risk that surfaces only in the presence of more critical flaws. The CVSS score of 4.3 and Chromium's Low severity rating reflect the limited standalone attack surface. Prioritize critical and high-severity vulnerabilities first; slot this into your standard monthly or quarterly Chrome patch window.

Risk score, explained

The CVSS v3.1 score of 4.3 (Medium) reflects the combination of network accessibility and low complexity, tempered by the requirement for prior renderer compromise and user interaction. Chromium's internal assessment of Low severity suggests that in the context of all Chrome threats, this is relatively contained. The impact is limited to integrity (spoofed UI), not confidentiality or availability. Organizations with robust renderer process protection (sandbox, process isolation) already in place are at lower risk than those exposed to renderer exploits.

Frequently asked questions

Do I need to patch this immediately?

No. This vulnerability requires an attacker to first compromise your Chrome renderer process through a separate vulnerability. If you maintain regular patching discipline for critical and high-severity Chrome vulnerabilities, you are already limiting the likelihood of renderer compromise. Include this patch in your next scheduled Chrome update cycle (typically monthly or quarterly).

What is the PointerLock API and why does it matter?

PointerLock is a web API that locks the mouse cursor to a specific browser element, preventing users from moving it outside that area. It's used by web-based games, virtual reality applications, and remote desktop tools. The API itself is legitimate and useful; the vulnerability is in how Chrome validates input to that API, allowing malicious pages to spoof UI elements once a renderer is compromised.

If the Chromium team rates this as Low severity, why is the CVSS score 4.3 (Medium)?

CVSS and vendor severity ratings measure different things. Chromium's Low rating reflects the specific risk landscape of Chrome and the need for prior renderer compromise. The CVSS 4.3 score measures technical attributes like attack vector (network) and complexity (low) in a standardized way. Both are valid; use Chromium's rating for Chrome-specific context and CVSS for consistency across your vulnerability database.

Does this affect Chrome on mobile platforms?

The vulnerability description and affected vendor list do not explicitly mention Android or iOS. While Google Chrome for Android and Apple's Webkit (used on iOS) may have related code, this CVE appears specific to desktop Chrome. Verify mobile browser versions separately if you manage enterprise mobile devices.

This analysis is based on the official CVE record and Chromium security advisory as of the publication date. Patch versions, affected releases, and vendor guidance may be updated by Google; verify against the official Google Chrome security page before deployment. This vulnerability requires prior renderer process compromise; organizations should simultaneously focus on preventing those compromises through defense-in-depth strategies. No exploit code or weaponized proof-of-concept is discussed here. Test patches in a controlled environment before full deployment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).