Severity by source
Sources disagree (Low–High)AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to deceive users via a crafted HTML page through insufficient input validation in the Media component. The flaw carries a CVSS of 8.3 due to scope change and high impact ratings, though Chromium internally rates the severity as Low, and no public exploit identified at time of analysis. Exploitation requires a pre-existing renderer compromise and user interaction, narrowing realistic risk despite the elevated CVSS.
Technical ContextAI
The vulnerability resides in Chrome's Media subsystem, which handles parsing and rendering of audio/video content embedded in HTML pages. Rooted in CWE-20 (Improper Input Validation), the bug stems from the Media component accepting untrusted input without sufficient sanitization, enabling rendering behavior that can be manipulated to spoof UI elements such as origin indicators, dialogs, or media overlays. Because Chrome's renderer process is sandboxed, this issue is positioned as a post-compromise primitive that an attacker would chain with a separate renderer RCE to escalate the user-visible deception beyond what the sandbox normally permits.
RemediationAI
Upgrade to Google Chrome 149.0.7827.53 or later via the Stable channel update documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html (Vendor-released patch: 149.0.7827.53); enterprise deployments should force a browser relaunch through policy to ensure the patched binary is loaded rather than relying on user-initiated restarts. For Chromium-derivative browsers, monitor the respective vendor channels and apply rebased builds as they ship. As a compensating control prior to patching, restrict installation of untrusted extensions and block known malicious media-hosting domains at the proxy or DNS layer to reduce exposure to crafted HTML pages, accepting the trade-off that legitimate media sites may be impacted; tracking issue details are available at https://issues.chromium.org/issues/496617698.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34698
GHSA-p2fc-jrv5-w4xq