Skip to main content

Chrome CVE-2026-0907

CRITICAL
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-01-20 chrome-cve-admin@google.com
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Low–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
4.3 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 20, 2026 - 05:16 nvd
CRITICAL 9.8

DescriptionCVE.org

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Chrome Split View prior to 144.0.7559.59 has a UI spoofing vulnerability that allows remote attackers to display misleading content in the split view interface.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML page
Exploit
Load page in Chrome Split View
Execution
Spoof security UI elements
Impact
Trick user into dangerous action

Vulnerability AssessmentAI

Exploitation Google Chrome prior to version 144.0.7559.59 with Split View feature active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8 — Split View is a relatively new Chrome feature. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker exploits the Split View UI spoofing to display a legitimate website in one pane while showing a spoofed phishing page in the other, leveraging the trusted context of the legitimate site.
Remediation Update Chrome to 144.0.7559.59 or later. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected systems running Split View in Google Chrome and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Chrome

View all
CVE-2026-3910 HIGH POC
8.8 Mar 13

Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote atta

CVE-2026-3909 HIGH POC
8.8 Mar 13

Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attacker

CVE-2026-5281 HIGH POC
8.8 Apr 01

Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn gr

CVE-2025-5419 HIGH POC
8.8 Jun 03

Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling

CVE-2026-2441 HIGH POC
8.8 Feb 13

Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attacker

CVE-2025-6554 HIGH POC
8.1 Jun 30

Chrome's V8 engine contains a type confusion vulnerability (CVE-2025-6554, CVSS 8.1) enabling arbitrary read/write opera

CVE-2025-13223 HIGH
8.8 Nov 17

Google Chrome V8 contains a type confusion vulnerability in the JavaScript engine, the second V8 type confusion zero-day

CVE-2025-27038 HIGH
7.5 Jun 03

Qualcomm Adreno GPU drivers in Chrome contain a use-after-free vulnerability (CVE-2025-27038, CVSS 7.5) enabling memory

CVE-2024-12450 CRITICAL POC
9.8 Mar 20

In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities.

CVE-2025-6179 CRITICAL POC
9.8 Jun 16

Critical permissions bypass vulnerability in Google Chrome OS 16181.27.0 that allows local attackers to disable extensio

CVE-2025-49713 HIGH POC
8.8 Jul 02

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized

CVE-2025-2073 HIGH POC
8.8 Apr 16

Out-of-Bounds Read in netfilter/ipset in Linux Kernel ChromeOS [6.1, 5.15, 5.10, 5.4, 4.19] allows a local attacker with

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP6 Fixed

Share

CVE-2026-0907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy