CVE-2026-11300: Chrome UI Spoofing Vulnerability in Permissions—CVSS 4.3 Update Guide
Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles permissions that allows an attacker to trick users with a specially crafted web page. The attack doesn't steal data or crash the browser—instead, it displays fake permission dialogs or UI elements that might convince a user to grant access they shouldn't. The attacker needs the victim to visit the malicious page, but no special user configuration is required beforehand.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-451
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11300 stems from an inappropriate implementation in Chrome's permissions subsystem, classified as CWE-451 (User Interface Inconsistency). The vulnerability enables UI spoofing—the construction of fake or misleading interface elements—through a crafted HTML payload served over the network. The integrity impact is limited to deception rather than code execution or data exfiltration. Chromium's security team rated this 'Low' severity at the engine level, though the CVSS v3.1 assessment reflects a MEDIUM score (4.3) accounting for the user interaction requirement and lack of confidentiality or availability impact.
Business impact
The primary risk is social engineering amplification: attackers can craft pages that closely mimic legitimate Chrome permission prompts, increasing the likelihood users grant microphone, camera, location, or clipboard access they would normally deny. This creates downstream risks for data exfiltration through browser APIs. Organizations with heavy web application reliance—particularly those handling sensitive communications—face elevated exposure if users are not security-aware. The attack does not enable lateral movement or persistence on its own but may serve as a stepping stone in multi-stage compromises targeting high-value users.
Affected systems
Google Chrome is the primary affected application. The vulnerability affects Chrome on Windows, macOS, and Linux distributions, reflecting the cross-platform nature of Chromium. Version 149.0.7827.53 and later include the fix; all earlier versions of Chrome are vulnerable. While the source lists generic OS entries, the vulnerability is specific to Chrome itself—the operating system is listed because Chrome runs on those platforms, not because the OS code is flawed.
Exploitability
Exploitability is straightforward from an attacker perspective: a crafted HTML page is trivial to host, and no special privileges, authentication, or uncommon browser configuration are required. The sole barrier is user interaction—the victim must visit the attacker's site or click a link. This is a low bar in the modern web. No known public exploits are documented in the KEV catalog, indicating active exploitation in the wild has not been formally tracked by CISA, though the simplicity of the attack suggests defensive adoption should not be delayed.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will typically deliver this patch within days of release; verify your version in chrome://settings/help. Organizations managing Chrome through mobile device management (MDM) or group policy should ensure their deployment pipelines are configured to roll out the patch promptly. No workarounds exist; updating is the only remediation.
Patch guidance
Chrome users and administrators should prioritize this update within standard maintenance windows—the MEDIUM severity and low active exploitation risk do not demand emergency patching, but deferral beyond 30 days is not advisable given the ease of exploitation. Automated update policies should be verified to confirm they are active. For enterprise deployments, confirm version 149.0.7827.53 or later is deployed via your MDM console or Group Policy reporting. Test on a pilot group if your environment requires staged rollouts.
Detection guidance
Detection of exploitation attempts is challenging without application-layer logging. Organizations can monitor for patterns of unusual permission grant activity (e.g., sudden spikes in microphone or camera access approval) via Chrome remote desktop logs or enterprise audit tools, but false-positive rates may be high. Endpoint detection and response (EDR) solutions monitoring Chrome process spawning or API calls related to permissions may flag suspicious activity, though this is environment-specific. Browser isolation or sandboxing technologies reduce attack surface by preventing HTML payloads from interacting with native permissions.
Why prioritize this
Although Chromium rated this 'Low,' the CVSS score of 4.3 and the trivial attack complexity warrant moderate priority. The attack is weaponizable without zero-day development; a confirmed patch exists; and the impact, while limited to UI deception, can facilitate downstream compromise. Organizations should not deprioritize this below other MEDIUM-scored vulnerabilities, as the exploitation barrier is genuinely low. If your user base includes high-value targets (executives, developers with API credentials), prioritize accordingly.
Risk score, explained
The CVSS 4.3 (MEDIUM) score reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege or authentication required (PR:N, AU not applicable), required user interaction (UI:R), unchanged scope (S:U), and integrity impact only—no confidentiality or availability loss (C:N, I:L, A:N). The 'Low' Chromium severity appears conservative; in practice, the combination of network accessibility and minimal user friction justifies the MEDIUM rating when considering real-world social engineering risk.
Frequently asked questions
Can this vulnerability be exploited without the user visiting an attacker's site?
No. The attacker must serve the malicious HTML page and convince or trick the user into visiting it. Stored XSS in a legitimate website could distribute the payload, but the attack itself does not propagate autonomously through network worms or drive-by downloads.
Does this vulnerability allow attackers to steal data directly?
No. The vulnerability enables UI spoofing—fake permission dialogs—to trick users into granting permissions they otherwise would not. Once a permission is granted, attackers can access those resources (e.g., camera, microphone) through legitimate browser APIs, but the vulnerability itself does not extract data without user action.
Are non-Chromium browsers affected?
No. This is specific to Google Chrome and Chromium-based browsers that use the same permissions subsystem. Firefox, Safari, and other engines have their own permissions implementations and are not affected by this flaw.
What should I do if users have already granted suspicious permissions after visiting untrusted sites?
Review and revoke unnecessary permissions for affected profiles via chrome://settings/content. Educate users on permission prompts and the risk of granting access to untrusted sites. Monitor for unusual use of camera, microphone, or location data. After patching, consider periodic permission audits as part of security awareness.
This analysis is based on publicly available information as of the publication date. CVSS scores, patch versions, and affected product lists are derived from official sources (NVD, vendor advisories); verification against the latest vendor documentation is recommended before deployment decisions. This explainer does not constitute legal or compliance advice. Organizations should assess risk in the context of their own environment, user base, and threat model. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11107MEDIUMGoogle Chrome UI Spoofing Vulnerability – Patch Guide
- CVE-2026-11216MEDIUMChrome File Input UI Spoofing – Patch to 149.0.7827.53
- CVE-2026-11222MEDIUMChrome Tab Strip Domain Spoofing Vulnerability – Patch Guide
- CVE-2026-11225MEDIUMChrome Domain Spoofing Vulnerability – Patch Guidance
- CVE-2026-11227MEDIUMChrome Tab Hover Card Domain Spoofing Vulnerability
- CVE-2026-11228MEDIUMChrome UI Spoofing Vulnerability via File Input Flaw
- CVE-2026-11232MEDIUMGoogle Chrome TabGroups UI Spoofing Vulnerability
- CVE-2026-11245MEDIUMChrome UI Spoofing in Payments Component (CVSS 4.3)