CVE-2026-11228: Chrome UI Spoofing Vulnerability via File Input Flaw
Google Chrome before version 149.0.7827.53 contains a flaw in how it handles file input operations that allows attackers to deceive users through visual manipulation. If an attacker can trick a user into performing specific clicks or interactions on a malicious webpage, they can spoof the browser interface—making fake buttons, dialogs, or other UI elements appear legitimate. This is a social engineering attack that relies on user interaction; the vulnerability itself is in Chrome's file input implementation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-451
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11228 is a UI spoofing vulnerability stemming from inappropriate implementation in Chrome's File Input handler (CWE-451: User Interface (UI) Misrepresentation of Critical Information). The attack surface is network-based with no privilege escalation required. The vulnerability requires user interaction—specifically, the victim must perform deliberate UI gestures on the attacker's crafted HTML page. Once triggered, the attacker can overlay or misrepresent critical UI elements, potentially leading to credential harvesting, malware distribution confusion, or social engineering amplification. The CVSS 3.1 vector reflects low attack complexity, network accessibility, required user interaction, and integrity impact without confidentiality or availability loss.
Business impact
The primary risk is reputational and user trust erosion. Attackers could craft convincing phishing pages that appear to come from legitimate services or browser dialogs. Users may inadvertently grant permissions, download malware, or disclose sensitive information if they cannot visually distinguish legitimate from spoofed interface elements. For organizations, this creates support burden and potential credential compromise if users interact with attacker-controlled sites while authenticated to sensitive services. The medium CVSS score reflects that while real-world impact exists, exploitation requires user deception—not autonomous compromise.
Affected systems
Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53 are vulnerable. The underlying Chrome security advisory identifies this as a Chromium Low severity issue, meaning the Chromium project assessed the practical exploitability and impact as constrained. Other Chromium-based browsers (Edge, Brave, Opera, etc.) may also be affected depending on their update cadence relative to Chromium 149.0.7827.53.
Exploitability
Exploitation is not wormable or autonomous. An attacker must author a crafted HTML page and convince or socially engineer a user to visit it and perform specific UI interactions. There is no exploit in the wild tracked in the Exploit Database, and this CVE has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting exploitation remains theoretical or limited. The barrier to exploitation is moderate: technical skill is needed to craft the spoofing payload, but user tricking is the primary hurdle. Mass exploitation via drive-by downloads or zero-click vectors is not applicable here.
Remediation
Users and administrators should update Google Chrome to version 149.0.7827.53 or later. For managed deployments, Chrome update policies can be enforced via Group Policy (Windows), configuration profiles (macOS), or Linux package managers. The fix addresses the file input implementation defect, eliminating the vector for UI spoofing via this mechanism. No workarounds are available; patching is the only mitigation.
Patch guidance
Install Chrome version 149.0.7827.53 or any later release. Users can check their current version at chrome://version/ and enable automatic updates (default behavior). For enterprise Chrome deployments, verify update policies are active and apply patches within standard change windows. Consider communicating to end users that they should be skeptical of unexpected permission prompts or file dialogs and verify authenticity through independent means (e.g., checking official websites directly).
Detection guidance
Detection is challenging because the vulnerability manifests as social engineering. Monitor for unusual download or permission-grant events from suspicious domains, and correlate with user reports of confusing dialogs. Endpoint detection and response (EDR) tools can log Chrome version inventory to identify unpatched systems. Web application firewalls can flag known attacker IP ranges or malicious referrer patterns, but the attack surface is broad (any website can host the malicious page). User awareness training—teaching users to verify permission dialogs and not interact with unsolicited file-open requests—is the most practical detection complement.
Why prioritize this
While the CVSS score is 4.3 (Medium), this CVE should not delay other critical patching but does warrant timely remediation within 30–60 days. The lack of known active exploitation, medium severity rating from Chromium, and reliance on user interaction place it below high-risk vulnerabilities. However, the ubiquity of Chrome and the potential for social engineering campaigns targeting specific user groups (e.g., financial sector, government contractors) merit prompt patching. Prioritize systems used by high-value targets or high-risk users.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: (1) Network attack vector—easily reachable remotely, (2) Low attack complexity—no special conditions required, (3) No privilege requirement, (4) Required user interaction via specific gestures, and (5) Integrity impact only (UI spoofing, no data breach). Confidentiality and availability are unaffected. Chromium's Low severity assessment aligns with this: the attack requires social engineering and provides no direct path to code execution, lateral movement, or data exfiltration. Organizations with strong user security awareness may accept this risk longer than a critical zero-day.
Frequently asked questions
Could this be used to steal credentials or login information?
Yes, indirectly. If an attacker spoofs a login dialog or file-save prompt, a user might enter credentials or unknowingly accept a malicious file. However, the vulnerability itself does not decrypt data or bypass authentication—it relies on visual deception. Users who verify URLs and are skeptical of unexpected prompts are largely protected.
Is this vulnerability actively being exploited in the wild?
As of the latest data, this CVE has not been added to CISA's Known Exploited Vulnerabilities catalog. There is no widespread public disclosure of active exploitation. However, proof-of-concept code could exist in closed attacker communities. Assume opportunistic exploitation after public disclosure, especially if patching delays are widespread.
Do I need to patch Chrome immediately, or can I wait for the next regular update cycle?
You can integrate this patch into your standard update schedule (typically 4-6 weeks). Because there is no known active exploitation and the attack requires user interaction, delaying a few weeks introduces minimal additional risk. However, do not delay beyond 60 days, especially if your users are high-value targets.
Are other browsers (Firefox, Safari, Edge) affected?
This CVE is specific to Chrome's file input implementation. Firefox and Safari have their own rendering engines and are not affected by this vulnerability. Chromium-based browsers (Edge, Brave, Opera) may be affected if they use the vulnerable Chromium code; check their respective security advisories for guidance.
This analysis is based on publicly available vulnerability data as of the publication date. Exploit details, active campaign information, and vendor advisory specifics may evolve; refer to Google's official Chrome Security & Privacy Blog and your vendor advisories for authoritative patch and remediation timelines. This is not legal or compliance advice. Organizations should perform risk assessments aligned with their threat model and regulatory obligations. No exploit code or weaponization guidance is provided herein. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11107MEDIUMGoogle Chrome UI Spoofing Vulnerability – Patch Guide
- CVE-2026-11216MEDIUMChrome File Input UI Spoofing – Patch to 149.0.7827.53
- CVE-2026-11222MEDIUMChrome Tab Strip Domain Spoofing Vulnerability – Patch Guide
- CVE-2026-11225MEDIUMChrome Domain Spoofing Vulnerability – Patch Guidance
- CVE-2026-11227MEDIUMChrome Tab Hover Card Domain Spoofing Vulnerability
- CVE-2026-11232MEDIUMGoogle Chrome TabGroups UI Spoofing Vulnerability
- CVE-2026-11245MEDIUMChrome UI Spoofing in Payments Component (CVSS 4.3)
- CVE-2026-11254MEDIUMGoogle Chrome UI Spoofing Vulnerability – Update to 149.0.7827.53