Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionNVD
Inappropriate implementation in TabGroups in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)
AnalysisAI
UI spoofing via malicious network traffic in Google Chrome's TabGroups feature (all versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent browser interface elements to victims, exploiting CWE-451 (UI Misrepresentation of Critical Information). The CVSS 5.4 score reflects limited but real confidentiality and availability impact (C:L/A:L), with Chromium's own severity team rating it Low. No public exploit identified at time of analysis, and Google has released a remediation in the 149.0.7827.53 stable channel update.
Technical ContextAI
CWE-451 describes failures where a UI presents information in a way that misleads users about security-critical state. In this case, the TabGroups subsystem - Chrome's feature for organizing browser tabs into labeled, color-coded groups - contains an inappropriate implementation that can be influenced by crafted network traffic. An attacker controlling network responses can cause the TabGroups UI to render misleading visual elements such as spoofed group names, labels, or trust indicators. This falls within Chromium's rendering/browser-chrome attack surface where the boundary between content (attacker-controlled) and browser UI (trusted) is insufficiently enforced. No CPE string was provided in the intelligence data, but the affected product is confirmed as Google Chrome desktop builds prior to 149.0.7827.53.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later, which includes the fix for this vulnerability per the stable channel update advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome typically auto-updates when the browser is restarted; administrators managing enterprise fleets should push the update via Google Admin Console or applicable MDM. As a compensating control where immediate patching is not feasible, disabling or restricting use of the TabGroups feature reduces exposure - this can be enforced via the TabGroupsEnabled Chrome policy, though this removes tab organization functionality for users. No additional workarounds are documented in available references.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34693
GHSA-wh64-wf5g-w6pr