MEDIUM 6.5

CVE-2026-11227: Chrome Tab Hover Card Domain Spoofing Vulnerability

Google Chrome versions before 149.0.7827.53 contain a flaw in how it displays security information in tab hover cards—the small popup that appears when you hover over a browser tab. An attacker can craft a deceptive domain name that, when displayed in this hover card, makes it appear to be a legitimate website you trust. This is a domain spoofing attack: the user sees what looks like one domain but is actually visiting a different one. The vulnerability requires user interaction (hovering over the tab and being deceived) but could help an attacker trick users into thinking they're on a safe site when they're not.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-451
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Incorrect security UI in Tab Hover Cards in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11227 exploits a user interface rendering flaw in Chrome's tab hover card implementation. The vulnerability stems from improper validation or sanitization of domain names displayed in the hover card UI element, allowing a remote attacker to craft a malicious domain that visually spoofs a legitimate domain when the hover card is rendered. The root cause is classified as CWE-451 (User Interface (UI) Misrepresentation of Critical Information), indicating that the security-critical domain information is being misrepresented to the user. The attack vector is network-based and does not require authentication or special privileges, though it does depend on user interaction. Chromium security classified this as Low severity; however, the CVSS v3.1 score of 6.5 (Medium) reflects the integrity impact of successful domain spoofing attacks.

Business impact

Domain spoofing attacks enabled by this flaw can compromise user trust in browser security indicators. Users relying on the tab hover card to verify they are on the correct domain could be socially engineered into entering credentials, payment information, or sensitive data on attacker-controlled sites. For organizations, this means employees using unpatched Chrome could be more vulnerable to phishing and credential harvesting campaigns that leverage visual deception. The impact is primarily reputational and information-disclosure related rather than system compromise, but can facilitate downstream attacks like unauthorized access or fraud.

Affected systems

The vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. While the CVE entry lists broad platform categories (Windows, macOS, Linux kernel), the actual vulnerable component is the Chrome browser itself. Any user or organization running Chrome before version 149.0.7827.53 on any supported platform is at risk. Users should verify their current Chrome version and check for automatic updates.

Exploitability

Exploitation requires a remote attacker to craft and host a malicious domain with a name designed to visually spoof a legitimate domain within the tab hover card display. The attacker then must trick a user into clicking a link to that domain. Once the tab is open and the user hovers over it, the spoofed domain name will appear in the hover card, deceiving the user about the actual site they are visiting. The attack is relatively straightforward to execute but depends entirely on successful social engineering and user inattention. No special tools, exploits, or elevated privileges are required beyond hosting the malicious domain and delivering the link.

Remediation

Users and administrators should update Google Chrome to version 149.0.7827.53 or later. Chrome typically updates automatically, but users can manually check for updates via the menu (three dots) → Help → About Google Chrome. Organizations can enforce Chrome updates through mobile device management (MDM) solutions or group policy on managed endpoints. As an interim mitigation, users should exercise caution when hovering over tabs and verify the full URL in the address bar—not the tab hover card—before entering sensitive information. Educating users to trust the address bar over UI elements can reduce the window of vulnerability.

Patch guidance

Update Chrome to version 149.0.7827.53 or later. Verify the update using Chrome's About page, which will show the current version number. For enterprise deployments, consult Google's Chrome release notes and your organization's patch management procedures. Chromium-based browsers and forks may or may not receive the same patch; verify your specific browser vendor's security advisories. No rollback or workarounds are necessary; the patch is straightforward and does not introduce breaking changes.

Detection guidance

Detection of active exploitation is challenging because the attack requires user interaction and leaves minimal forensic traces—no malware is installed, no system calls are made. Network teams can monitor for traffic to newly registered domains with homoglyph or lookalike characteristics, though this produces significant false positives. Endpoint detection and response (EDR) tools will not flag the attack unless it leads to credential theft or malware download. The most practical detection approach is user reporting and security awareness; if users report being on unexpected domains or seeing suspicious hover card behavior, investigate their browsing history and potentially compromised accounts. Browser history logs and network proxy logs can reveal the destination domain.

Why prioritize this

Although Chromium rated this Low severity, the CVSS 6.5 Medium score reflects the integrity impact of domain spoofing—users can be deceived into revealing credentials or sensitive data. Prioritize patching for high-risk users (finance, HR, executive staff) who handle sensitive information and may be targeted by phishing. The attack requires user interaction, which limits its impact compared to remote code execution flaws, but the deception factor makes it particularly dangerous for social engineering campaigns. Standard patch cycles (within 30 days) are appropriate; this is not a zero-day emergency but should not be deferred indefinitely.

Risk score, explained

The CVSS v3.1 score of 6.5 (Medium) is assigned because: (1) the attack vector is network-accessible (AV:N) with no special privileges (PR:N); (2) the attack complexity is low (AC:L), meaning straightforward exploitation; (3) user interaction is required (UI:R), reducing the attack surface; (4) the scope is unchanged (S:U), affecting only the user's trust in the tab display; (5) there is no confidentiality impact (C:N), as no data is directly stolen by the UI flaw; (6) integrity is highly impacted (I:H) because the user's understanding of which domain they are on is compromised; (7) availability is not affected (A:N). The Medium severity reflects the real-world risk of credential theft and fraud enabled by visual deception, despite Chromium's Low internal classification.

Frequently asked questions

How does an attacker actually spoof a domain in a tab hover card?

The attacker registers or controls a domain name that is visually similar to a legitimate domain—for example, using homoglyphs (lookalike characters) or strategic misspellings. When a user visits this malicious domain and hovers over the browser tab, the hover card displays the attacker's domain name. Because the UI rendering is flawed, the attacker's domain might be truncated, styled, or formatted in a way that makes it appear to be the legitimate domain the user intended to visit. The user, seeing what they believe is the trusted domain, enters credentials or sensitive data into the attacker's site.

Do I need to worry about this if I use automatic Chrome updates?

Most users benefit from Chrome's automatic update mechanism, which typically deploys patches within days of release. Check your current version in Chrome menu → Help → About Google Chrome; if you see version 149.0.7827.53 or later, the patch has already been applied. However, if your organization has disabled auto-updates or you are using a long-support release channel, you should manually trigger the update. Corporate environments should verify patch deployment through their device management systems.

Can this vulnerability steal my passwords or install malware?

The vulnerability itself does not steal passwords or install malware. It is a UI rendering flaw that enables domain spoofing—it deceives users about which website they are visiting. The real harm occurs when a user, fooled by the spoofed domain, voluntarily enters credentials or sensitive data into the attacker's site. To minimize risk, always verify the full URL in the address bar before entering sensitive information, and be especially cautious if you notice mismatches between what you expect to see and what is displayed.

Is this vulnerability exploited in the wild?

As of the published information, there is no indication that this vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog, suggesting that active in-the-wild exploitation has not been widely documented or confirmed. However, the low barrier to exploitation (crafting a lookalike domain) means it could be used in targeted phishing campaigns. Promptly patch to limit exposure, and educate users about domain spoofing risks.

This analysis is provided for informational purposes and reflects the vulnerability details published as of the modification date. No exploit code or weaponized proof-of-concept details are included. Patch version numbers and affected product lists are drawn directly from official CVE and vendor advisory sources; verify current patch availability with Google's Chrome release notes and your organization's patch management systems. This vulnerability analysis does not constitute legal advice or a guarantee of security; organizations should conduct their own risk assessments and testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).