Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome for iOS prior to version 149.0.7827.53 enables a remote unauthenticated attacker to misrepresent critical browser interface elements through a crafted HTML page, requiring only that the victim visit the malicious page. The vulnerability stems from an inappropriate implementation specific to the iOS platform build of Chrome (CWE-451), with impact limited to integrity - no confidentiality or availability loss. No public exploit identified at time of analysis; EPSS sits at 0.03% (11th percentile) and Chromium's own severity rating is Low, aligning with the constrained real-world impact.
Technical ContextAI
CWE-451 (User Interface Misrepresentation of Critical Information) describes failures where a product displays information in a way that can mislead users about security-critical state - in this case, the browser's own UI chrome (address bar, security indicators, or permission prompts). The vulnerability is confined to Chrome's iOS-specific rendering or UI management code, distinct from desktop Chromium, suggesting a platform adaptation introduced a divergence from expected UI behavior. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is network-delivered with no privileges required but requires user interaction, and scope is unchanged - meaning the attacker cannot break out of the browser sandbox context.
RemediationAI
Update Google Chrome on iOS to version 149.0.7827.53 or later, available through the Apple App Store. This is the vendor-released patch per the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html). No workaround is identified in the available data; since the flaw is in platform-specific UI rendering code, no configuration change can fully mitigate it. Organizations managing iOS fleets via MDM should push the Chrome update through their mobile device management pipeline. Users who cannot update immediately should be advised to use Safari or another browser on iOS for sensitive sessions, though this has the operational trade-off of breaking any Chrome-specific enterprise policies or extensions.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34746
GHSA-5qc9-xcpc-j953