CVE-2026-11237: Google Chrome Media UI Spoofing Vulnerability (v149.0.7827.53)
Google Chrome versions before 149.0.7827.53 contain a vulnerability that allows an attacker who has already compromised Chrome's renderer process to trick users through fake or misleading interface elements displayed on a web page. While the underlying flaw is rated 'Low' severity by Chromium, the impact assessment reflects the potential for convincing visual deception attacks that could mislead users into taking harmful actions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation in Chrome's Media component when processing untrusted HTML content. An attacker with control of the renderer process can craft HTML pages that exploit this weakness to perform UI spoofing—overlaying or replacing legitimate interface elements with malicious counterparts. The attack requires both renderer compromise (a significant prerequisite) and user interaction. CWE-20 (Improper Input Validation) is the root cause classification.
Business impact
UI spoofing attacks can enable credential theft, malware distribution, or social engineering at scale. If an attacker has already achieved renderer process compromise through another vulnerability, this flaw becomes a secondary persistence and exploitation vector. Organizations with users on unpatched Chrome versions face elevated risk of account takeover and data exfiltration through convincing phishing interfaces that appear legitimate because they replace actual UI elements.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. This includes all stable, beta, and extended-support Chrome releases before this version number across Windows, macOS, and Linux platforms. Organizations relying on automatic Chrome updates or managed enterprise deployments should verify their current version against this threshold.
Exploitability
Exploitation requires two prerequisites: (1) the attacker must first compromise the Chrome renderer process through a separate vulnerability or attack, and (2) the user must interact with a crafted HTML page served by the attacker. While the CVSS score of 8.3 reflects high potential impact, the practical attack chain is not trivial. This is not a wormable or zero-click vulnerability; however, in scenarios where renderer compromise has already occurred (such as in targeted attacks or following a chain of exploits), weaponization becomes straightforward.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Users should enable Chrome's automatic update feature if not already active. Enterprise administrators should deploy this update through their browser management tools and confirm rollout across all managed devices within 30 days of the patch release date.
Patch guidance
Chrome updates are typically deployed automatically on restart. To verify the installed version, navigate to chrome://settings/help, which will display the current version and trigger an immediate update check if needed. For managed enterprises, use Chrome Enterprise policies to enforce minimum version requirements via the 'MinimumChromeVersion' or similar policy controls. Test the patch in a limited environment before full deployment to ensure no compatibility issues with internal applications.
Detection guidance
Monitor for unusual Chrome renderer crashes or process terminations, which may indicate exploitation attempts. Look for HTML pages or web traffic with crafted Media elements that deviate from standard HTML5 specifications. Endpoint Detection and Response (EDR) tools should flag attempts to modify Chrome's UI rendering in unexpected ways. Network monitoring for anomalous traffic to known malicious domains serving exploit HTML can provide early warning in combination with other indicators.
Why prioritize this
Although Chromium's internal severity is Low, the CVSS 8.3 rating reflects the high-impact nature of successful exploitation: complete compromise of confidentiality, integrity, and availability across security boundaries (S:C). Prioritization should be moderate-to-high because the attack requires prior renderer compromise, limiting opportunistic exploitation, but organizations should not delay patching given the secondary attack vector risk in advanced persistent threat scenarios.
Risk score, explained
The CVSS 8.3 score (HIGH severity) is driven by: (1) network-based attack vector requiring no authentication, (2) high complexity (AC:H) reflecting the renderer compromise prerequisite, (3) user interaction requirement limiting immediate impact, (4) scope change allowing impact beyond the vulnerable component, and (5) high impact across all three security properties (confidentiality, integrity, availability). The discrepancy between Chromium's Low severity and the CVSS 8.3 rating reflects how Chromium's internal severity model may weigh exploitability prerequisites differently than CVSS does.
Frequently asked questions
If Chrome is set to auto-update, am I automatically protected?
Yes, provided you restart your browser. Chrome's auto-update mechanism will fetch version 149.0.7827.53 or later in the background, but the new version is not active until Chrome restarts. Verify protection by navigating to chrome://settings/help and confirming the version number matches or exceeds 149.0.7827.53.
Does this vulnerability affect Chrome on mobile devices?
The CVE description references Chrome prior to 149.0.7827.53 without platform-specific carve-outs. Apply the same version check on Android and iOS Chrome installations. Mobile browser updates follow the same versioning scheme, so confirm your mobile Chrome version against the patched release.
What's the difference between Chromium's 'Low' severity and the CVSS 8.3 'HIGH' rating?
Chromium's internal severity model prioritizes exploitability difficulty and real-world attack prevalence. The CVSS score is a standardized metric that emphasizes impact severity assuming successful exploitation. This vulnerability has high impact (UI spoofing can lead to credential theft) but requires prior renderer compromise, explaining the discrepancy. Both ratings are valid in different contexts.
Does disabling JavaScript or using restricted browsing modes protect against this?
Partially. Since the flaw is in the Media component and involves HTML parsing, disabling JavaScript alone may not be sufficient. However, avoiding untrusted websites and maintaining patched Chrome is the primary defense. Browser sandboxing and process isolation (Chrome's default architecture) already mitigate some attack scenarios.
This analysis is provided for informational purposes and does not constitute legal or professional security advice. The information is current as of the publication date; refer to Google's official Chrome release notes and security advisories for authoritative patch details and timeline information. Organizations should conduct internal risk assessments and compatibility testing before deploying patches. SEC.co makes no warranty regarding the completeness or accuracy of this analysis relative to undisclosed or emerging information about this vulnerability. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10920HIGHChrome macOS WebShare Sandbox Escape Vulnerability (v149)