CVE-2026-11666: Chrome UI Spoofing Vulnerability – Patch Update 149.0.7827.103
Google Chrome versions prior to 149.0.7827.103 contain a flaw where the browser fails to properly validate user-supplied input in certain UI elements. An attacker can exploit this by crafting a malicious HTML page that, when visited, displays fake browser UI components or dialogs—a technique known as UI spoofing. This could trick users into believing they're interacting with legitimate Chrome interface elements, potentially leading to credential theft, social engineering attacks, or other user-directed compromise. The vulnerability requires user interaction (visiting the crafted page) but no special privileges, making it a concern for general web browsing.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11666 stems from insufficient input validation (CWE-20) in Chrome's UI rendering layer. The vulnerability allows an attacker to inject or manipulate untrusted input that bypasses validation checks, resulting in the rendering of spoofed UI elements. An attacker-controlled HTML page can leverage this flaw to create believable fake browser chrome—fake address bars, certificate indicators, permission prompts, or warning dialogs—that overlay or mimic legitimate Chrome UI. The attack surface is the browser's input handling for UI state and rendering; the vector is network-based with low attack complexity, though user interaction is required to load the malicious page. The Chromium project classified this as High severity within their internal framework, though the CVSS 3.1 score of 5.4 reflects moderate overall risk due to the requirement for user action and limited direct confidentiality/availability impact.
Business impact
UI spoofing vulnerabilities pose a direct threat to user trust and security posture. Attackers could craft convincing fake login prompts, certificate warnings, or security alerts to harvest credentials or trick users into downloading malware. For organizations, this means increased phishing and social engineering risk targeting employees who browse the web. The vulnerability affects Chrome users across Windows, macOS, and Linux, meaning no single operating system platform is exempt. While the direct financial impact depends on user behavior and follow-up compromise chains, the reputational and operational costs can be significant if users unknowingly disclose credentials or allow secondary exploitation.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.103 across all three major operating systems: Microsoft Windows, Apple macOS, and Linux (Linux kernel distributions). Any Chrome user on these platforms running an unpatched version is at risk. This includes both desktop and laptop deployments. Organizations running Chromebook fleets, Windows with Chrome as the primary browser, or macOS with Chrome for enterprise workflows should prioritize inventory and patching.
Exploitability
Exploitability is moderate. The attack requires a victim to visit a crafted HTML page—typically delivered via phishing email, malicious advertisement, or social engineering—but does not require the victim to take any additional action beyond normal browsing (no plugin installation, no file download required). The attacker does not need authentication or special system privileges. The low attack complexity and network accessibility make this a practical threat in real-world campaigns. However, the attack's effectiveness depends entirely on social engineering; a security-aware user who scrutinizes UI elements may avoid the trap. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been formally documented at scale, though this does not rule out proof-of-concept activity or targeted campaigns.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. The patch is available across Windows, macOS, and Linux. Users can enable automatic updates in Chrome settings (typically enabled by default), or manually check via the three-dot menu → Help → About Google Chrome, which will prompt an update and restart. Organizations should push this patch through their browser management or device management platforms immediately. No workaround exists; patching is the only mitigation. For users unable to patch immediately, avoid visiting untrusted websites and be cautious of unexpected UI prompts (e.g., fake permission requests or warnings).
Patch guidance
Chrome 149.0.7827.103 or later is required. Verify patch deployment by checking chrome://version in the address bar. For enterprise deployments, confirm that Chrome enterprise policies or device management systems push this version to all managed devices. If your organization uses automatic updates, monitor for completion to ensure no devices remain on vulnerable versions. Test patch compatibility with any custom extensions or enterprise integrations before wide rollout, though this vulnerability patch is unlikely to introduce compatibility issues.
Detection guidance
Look for patterns indicating UI spoofing attack attempts in user reports or incident logs: users reporting suspicious browser prompts or dialogs, credential submission to unusual pages, or confusion about browser functionality. Monitor for spikes in phishing reports mentioning Chrome warnings or permission dialogs. On the technical side, monitor Chrome crash reports or error logs for rendering anomalies in UI components—the vulnerability may cause rendering failures that leave traces in browser diagnostics. Network-level detection is difficult since the attack uses standard HTTPS traffic; focus on endpoint observation and user reporting.
Why prioritize this
While the CVSS score is moderate (5.4), the business risk is elevated due to the attack's reliance on social engineering, which is highly effective in practice. UI spoofing directly undermines user trust in the browser's security indicators, a foundational assumption in web security. The broad affected user base (all Chrome users on major OSes), combined with the ease of crafting a malicious page, makes this a practical threat for phishing and credential harvesting campaigns. Prioritize patching for user-facing systems and high-risk user groups (executives, financial staff, remote workers) within 7–14 days. Given the lack of KEV status, this is not an imminent nation-state exploitation risk, but the vulnerability's social engineering vector warrants urgent remediation before it becomes a campaign staple.
Risk score, explained
The CVSS 3.1 score of 5.4 (Medium) reflects a network-accessible vulnerability with low attack complexity and user interaction required. The vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L indicates limited confidentiality impact (credential disclosure is possible but not guaranteed), no integrity impact on the system itself (the page content is attacker-controlled anyway), and potential availability impact if the spoofing causes denial of service or user confusion. The score does not fully capture the social engineering risk inherent to UI spoofing, which is why security teams should treat this as higher priority than the score alone suggests. The Chromium High severity rating aligns with real-world concern even if CVSS is lower.
Frequently asked questions
Can this vulnerability be exploited without the user clicking anything?
No. The vulnerability requires the user to visit a crafted HTML page in their browser. Simply opening the page triggers the flaw, but the attacker's goal (e.g., credential theft) typically requires further user action, such as interacting with the spoofed UI. However, a sophisticated attack could chain this with other tactics to increase the likelihood of success.
Does this affect Chrome on mobile devices?
The vulnerability description specifies Chrome on Windows, macOS, and Linux kernel platforms. Mobile Chrome versions (Android and iOS) are not explicitly listed as affected in the ground-truth source data. Verify with Google's official advisory or release notes to confirm mobile impact.
What should organizations prioritize: patching users or systems?
Prioritize patching both equally. Users who browse the web are the attack vector, so endpoint Chrome updates are critical. Ensure your device management or browser update policies enforce version 149.0.7827.103 or later across all managed Chrome instances. Simultaneously, educate users to be cautious of unexpected browser prompts and to report suspicious UI behavior.
Is there a connection between this vulnerability and recent phishing campaigns?
The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, and no formal attribution of active exploitation has been published. However, UI spoofing is a classic phishing technique, and once patches lag, this vulnerability will almost certainly be weaponized. Stay alert to incident reports and threat intelligence updates from your security vendors.
This analysis is based on official vulnerability data published as of June 2026. Security teams should consult Google's official Chrome release notes and CISA advisories for authoritative patch information and confirmed affected versions. The absence of KEV listing does not guarantee absence of exploitation in the wild. Threat actors may develop exploits before public disclosure of active use. This document does not constitute security advice; organizations must conduct their own risk assessment and patch management in alignment with their security policies. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls