Skip to main content

Google Chrome CVE-2026-11228

| EUVDEUVD-2026-34689 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-04 chrome-cve-admin@google.com GHSA-jgp7-m5h4-gf5p
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 14:23 vuln.today
CVSS changed
Jun 05, 2026 - 14:22 NVD
4.3 (None) 4.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 4.3

DescriptionCVE.org

Inappropriate implementation in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome's File Input component allows remote unauthenticated attackers to misrepresent interface elements when a user is socially engineered into performing specific UI gestures on a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a Chromium-assigned severity of Low and is limited to integrity impact (I:L) with no confidentiality or availability consequences. No public exploit code exists and no active exploitation is confirmed at time of analysis.

Technical ContextAI

CWE-451 (User Interface Misrepresentation of Critical Information) describes the root cause: the browser fails to accurately represent security-relevant state to the user through its UI. Specifically, the affected component is the HTML File Input element (<input type='file'>), which handles file selection dialogs and associated UI rendering. An inappropriate implementation in this component allows a crafted HTML page to influence how file-related UI elements are rendered or labeled, enabling an attacker to spoof what the user perceives as a trusted or benign file dialog interaction. This class of vulnerability is particularly relevant in browser contexts because users rely on accurate file picker UI to make security decisions about what data they share.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later via the stable channel desktop update. The patch is confirmed available per Google's Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Most Chrome installations with auto-update enabled will receive this patch automatically. For enterprise environments managing Chrome via policy, deploy the update through your endpoint management tooling. Given the low severity and requirement for active user UI interaction, no emergency workaround is needed for most organizations; standard patch cadence is appropriate. There are no known workarounds beyond updating, as the underlying implementation flaw is in the browser's File Input rendering logic.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy