MEDIUM 6.5

CVE-2026-11225: Chrome Domain Spoofing Vulnerability – Patch Guidance

Google Chrome before version 149.0.7827.53 contains a flaw that allows attackers to perform domain spoofing—making a malicious website appear to come from a trusted domain. An attacker would need to trick a user into visiting a crafted link, but once clicked, the browser's address bar or other visual indicators could misrepresent the true origin of the site. This affects Chrome on Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-451
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11225 stems from an inappropriate implementation in Chrome's WebUI component that fails to properly validate or display domain information for user-facing security indicators. The vulnerability maps to CWE-451 (User Interface (UI) Misrepresentation of Critical Information), meaning the browser fails to accurately represent the domain being visited. An attacker crafts a domain name designed to exploit this validation gap, causing the WebUI to display misleading origin information. The CVSS 3.1 score of 6.5 (MEDIUM) reflects the requirement for user interaction and the integrity impact limited to trust/spoofing rather than data confidentiality or availability.

Business impact

Domain spoofing attacks undermine user trust in the browser's security indicators—the primary defense against phishing and credential theft. Compromised users may unknowingly submit credentials or sensitive data to attacker-controlled sites believing they are interacting with legitimate services. For enterprises, this increases the risk of successful phishing campaigns targeting employees, particularly those visiting banking, email, or SaaS platforms. The impact is indirect but significant: each spoofed domain visit represents a potential credential compromise or malware delivery vector.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are vulnerable on all major operating systems: Windows, macOS, and Linux. Any user running an unpatched Chrome browser is at risk. The vulnerability does not affect other Chromium-based browsers unless they also contain the same WebUI flaw; users should verify their browser version and check with their vendor for equivalent patch availability.

Exploitability

Exploitability requires user interaction—the user must be tricked into clicking a link to a crafted domain. No network privileges, local access, or special configuration is needed from the attacker's side. The low barrier to entry makes this practical for phishing campaigns, social engineering, and mass email attacks. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active in-the-wild exploitation has not yet been widely documented, though the ease of exploitation means security teams should treat it with urgency.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome users on Windows, macOS, and Linux should check for automatic updates via Settings > About Google Chrome, which will prompt installation and relaunch. Organizations managing Chrome deployments should push this update through their standard patch management processes without delay.

Patch guidance

Chrome automatically notifies users of available updates and can be configured to auto-restart after patching. Enterprise deployments can enforce version requirements via Chrome policies. Verify successful patching by navigating to chrome://version and confirming the installed version is 149.0.7827.53 or higher. No extended support versions or legacy branches are mentioned; verify against the official Chrome release notes for platform-specific availability.

Detection guidance

Monitor for abnormal domain-spoofing attempts by logging user visits to domains with names designed to impersonate legitimate services (look-alike domains, homograph attacks, etc.). Endpoint Detection and Response (EDR) tools can flag Chrome versions below 149.0.7827.53 in inventory scans. Monitor for user reports of unexpected domain display in the address bar or SSL certificate warnings. Email security systems should scrutinize links in messages that could exploit this via social engineering.

Why prioritize this

Patch this within 7–14 days. While the Chromium project assigned it a 'Low' severity rating, the CVSS 6.5 MEDIUM score and user-interaction requirement do not diminish the business risk. Phishing is one of the most common attack vectors in enterprises, and domain spoofing directly enables it. The simplicity of exploitation and high user base of Chrome make this a priority. The absence of known active exploitation provides a small window to patch before attackers weaponize it at scale.

Risk score, explained

CVSS 6.5 reflects: (1) network accessibility with no special privileges required; (2) low attack complexity; (3) required user interaction (clicking a link); (4) no impact on confidentiality or availability; and (5) integrity impact limited to the user's trust model rather than data corruption. The score appropriately balances the low complexity of attack with the practical difficulty of exploiting it without social engineering. Contextually, the integrity impact—misleading users about website origin—is high-risk for phishing scenarios.

Frequently asked questions

Why does Chrome's Chromium project call this 'Low' severity if CVSS is 'MEDIUM'?

Chromium's internal severity classifications differ from CVSS scoring. Chromium may rate it 'Low' because it requires user interaction and does not directly leak data or compromise the system's core security. CVSS 6.5 accounts for the broader business and user-trust impact. Both assessments are correct in their respective contexts; CVSS is the more standardized metric for enterprise risk prioritization.

Does this vulnerability affect Chrome on mobile devices?

The provided data lists Windows, macOS, and Linux as affected platforms. Chrome on Android and iOS may have separate patching cycles and implementations; check with Google and Apple respectively for mobile-specific updates and whether the same vulnerability exists in those builds.

Can users work around this without updating?

No reliable workaround exists for users. Organizations can implement additional email filtering, multi-factor authentication, and user security awareness training to reduce phishing success rates, but these do not block the technical vulnerability. Update to 149.0.7827.53 or later as soon as possible.

Should I be concerned if this is not yet in the KEV catalog?

The absence from CISA's KEV catalog means active, widespread, federally-confirmed exploitation has not been reported yet. This is actually favorable and provides a narrow window for patching before attackers target this at scale. Do not interpret it as low risk; treat it as a proactive patching opportunity.

This analysis is provided for informational purposes and does not constitute legal or compliance advice. Patch version numbers and affected product versions are based on the official CVE record; verify all technical details against the Google Chrome security advisories and vendor notices. Exploitation of any computer system without authorization is illegal. Organizations should test patches in non-production environments before deployment and monitor systems for any unexpected behavior post-update. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).