CVE-2026-11254: Google Chrome UI Spoofing Vulnerability – Update to 149.0.7827.53
Google Chrome versions prior to 149.0.7827.53 contain a UI spoofing vulnerability in its permissions implementation. An attacker can craft a malicious HTML page that, when visited by a user, displays fake permission prompts or other interface elements to deceive users into granting access or performing unintended actions. The attack requires user interaction—specifically, the victim must visit the attacker's page—but does not require any special browser configuration or privilege level.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-451
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from improper implementation of the permissions subsystem in Chromium. The flaw allows a remote attacker to craft HTML that presents spoofed UI elements overlaid on or mimicking Chrome's native permission dialogs. The underlying issue is classified as CWE-451 (User Interface (UI) Misrepresentation of Critical Information). An attacker exploiting this can deceive users about what permissions or actions they are authorizing, potentially leading to unauthorized access to sensitive browser features such as camera, microphone, location, or clipboard access. The attack surface is the user's browser session; no server-side compromise or elevation of privilege is required.
Business impact
This vulnerability primarily threatens user privacy and data exposure. Organizations whose employees interact with untrusted web content face risk of credential harvesting, accidental permission grants that expose sensitive data (location, camera, microphone feeds), and erosion of user trust in Chrome's security indicators. For companies with BYOD policies or those relying on browser-based security controls, UI spoofing attacks can bypass user-facing security posture. The impact is mitigated by the requirement for user interaction and the fact that no data confidentiality or availability is directly compromised—only the integrity of the user's informed consent is at risk.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.53. While Chrome is the primary affected product, the Chromium security advisory lists impact across platforms: Windows, macOS, and Linux systems running affected Chrome versions are in scope. Other Chromium-based browsers (Edge, Brave, etc.) should be evaluated based on their individual version timelines relative to this Chromium fix.
Exploitability
Exploitability is straightforward from an attacker perspective. The attack requires only a crafted HTML page hosted on an attacker-controlled or compromised website. No authentication, privilege escalation, or user-level system compromise is necessary. However, successful exploitation depends on social engineering: the attacker must convince a user to visit the malicious page and interact with the spoofed UI. Automated, large-scale exploitation would be limited by the need for user action, making targeted phishing campaigns a more realistic attack vector than mass exploitation. The CVSS score of 4.3 reflects low severity partly because of this user-interaction requirement.
Remediation
The primary remediation is to update Google Chrome to version 149.0.7827.53 or later. Chrome's automatic update mechanism typically rolls out patches within days of release; however, security teams should verify the installed version across their fleet. For organizations managing Chrome through policies (via Google Admin Console or third-party MDM), ensure that auto-update is enabled or schedule a controlled deployment. No workarounds exist that mitigate the underlying permissions logic flaw; patching is the only reliable fix.
Patch guidance
Update to Google Chrome 149.0.7827.53 or any later stable release. Verify the update using Chrome's version page (chrome://version or Settings > About Chrome). For enterprise deployments: use your MDM or policy management tool to verify compliance; consider staged rollout if mass updates are impractical. Monitor browser telemetry to confirm successful patching across your user base. For Chromium-based browsers (Edge, Brave, etc.), check the upstream Chromium fix timeline and apply equivalent patches from each vendor.
Detection guidance
Detection of active exploitation is challenging because the attack manifests purely in user behavior—a user interacting with a spoofed dialog. Detection strategies include: (1) Monitor for reports of unexpected permission grants or user complaints about seeing suspicious permission prompts; (2) Use Chrome Enterprise reporting or endpoint detection tools to identify users on pre-149.0.7827.53 versions; (3) If deployed, use web content filtering to block known malicious domains hosting proof-of-concept exploits or phishing pages that use this technique; (4) Educate users to verify permission prompts by checking the URL bar and the browser's native permission UI styling. No log-based signature is reliably available for this UI-level attack.
Why prioritize this
While the CVSS score is moderate (4.3), this vulnerability should be prioritized for patching due to its ease of exploitation and the breadth of affected systems. Every Chrome user is a potential target. The attack does not require sophisticated tools or deep technical knowledge, making it attractive to attackers conducting phishing campaigns or compromised site redirection attacks. Although the direct impact is limited to UI deception, the downstream effects (credential theft, unwanted permission grants) can be severe. Given Chrome's ubiquity in enterprise and consumer environments, prompt patching reduces organizational risk substantially.
Risk score, explained
The CVSS 3.1 score of 4.3 (Medium severity) reflects: Network Attack Vector (AV:N) and Low Attack Complexity (AC:L), indicating the vulnerability is easily reachable and exploitable; Required User Interaction (UI:R) reduces the score because social engineering is necessary; and Integrity Impact (I:L) captures the misrepresentation of UI, with Low impact because the integrity of user consent is compromised, not system data. No Confidentiality or Availability impact is reflected because the flaw does not leak data or crash the browser. The Chromium security team initially classified it as Low severity, but the CVSS calculation yields Medium; both assessments indicate this is not a critical vulnerability but warrants timely patching.
Frequently asked questions
Can this vulnerability steal my passwords or data directly?
No. The vulnerability allows an attacker to deceive you about what permissions you are granting (e.g., accessing your camera or location), but it does not directly read or exfiltrate data from your computer. However, if tricked into granting a permission you did not intend to grant, an attacker could then access that resource (such as your microphone). The risk is indirect, through social engineering.
Do I need to do anything beyond updating Chrome?
Updating to version 149.0.7827.53 or later is the complete fix. No additional configuration or behavioral changes are required. However, remaining vigilant about permission prompts—checking the URL bar and verifying you trust the site before accepting—is always good practice.
Does this affect browsers other than Chrome?
This specific CVE affects Chrome versions prior to 149.0.7827.53. If you use Chromium-based browsers (Microsoft Edge, Brave, Opera, etc.), check whether your browser vendor has released a corresponding patch. Each vendor applies Chromium security patches on their own timeline, so versions may differ.
Is there any indication this is being actively exploited in the wild?
As of the vulnerability publication date, this CVE has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation has been documented. However, the ease of exploitation means it could be used opportunistically in targeted phishing or watering-hole attacks. Staying patched is the best defense against both known and potential future exploitation.
This analysis is provided for informational purposes and is based on the CVE description, CVSS metrics, and publicly available information current as of the publication date. No exploit code or weaponized proof-of-concept is provided. Organizations should verify patch availability and compatibility in their own environments before deploying updates. Security decisions should be informed by internal risk assessments and validated against vendor advisories. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting official Google Chrome security releases for authoritative information. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11107MEDIUMGoogle Chrome UI Spoofing Vulnerability – Patch Guide
- CVE-2026-11216MEDIUMChrome File Input UI Spoofing – Patch to 149.0.7827.53
- CVE-2026-11222MEDIUMChrome Tab Strip Domain Spoofing Vulnerability – Patch Guide
- CVE-2026-11225MEDIUMChrome Domain Spoofing Vulnerability – Patch Guidance
- CVE-2026-11227MEDIUMChrome Tab Hover Card Domain Spoofing Vulnerability
- CVE-2026-11228MEDIUMChrome UI Spoofing Vulnerability via File Input Flaw
- CVE-2026-11232MEDIUMGoogle Chrome TabGroups UI Spoofing Vulnerability
- CVE-2026-11245MEDIUMChrome UI Spoofing in Payments Component (CVSS 4.3)