Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Wallet in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome's Wallet component (versions prior to 149.0.7827.53) permits a remote attacker who has already achieved renderer process compromise to manipulate the browser's payment/credential interface by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) scores this at 4.3 Medium, but the explicit renderer-compromise prerequisite in the description significantly narrows real-world attack surface beyond what those scores imply. No public exploit identified at time of analysis, EPSS sits at 0.05% (15th percentile), there is no CISA KEV listing, and Google's own Chromium team rates this Low severity - all signals converging on limited exploitation likelihood.
Technical ContextAI
The vulnerability resides in Chrome's Wallet component - the browser-native subsystem handling payment methods, autofill credentials, and related UI surfaces. CWE-20 (Improper Input Validation) identifies the root cause: the Wallet component fails to adequately validate data arriving from the renderer process before rendering it in privileged UI contexts. Chrome's architecture isolates renderer processes in a sandbox, but when a renderer is already compromised (via a separate exploit), the attacker gains the ability to inject crafted inputs across the renderer-to-browser IPC boundary. The Wallet UI, trusting that input insufficiently, can then be induced to display spoofed interface elements. Affected versions are all Chrome desktop releases below 149.0.7827.53, per EUVD-2026-34747. No CPE string was supplied in the intelligence data, but the product scope is Chrome stable channel on desktop (Windows, macOS, Linux).
RemediationAI
Upgrade Google Chrome to version 149.0.7827.53 or later; this is the vendor-released patch confirmed via the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's built-in auto-update mechanism will deliver this for most desktop users without manual intervention. Enterprise administrators who have deferred updates should prioritize deployment given that renderer-targeting vulnerabilities (the prerequisite chain) are a common focus for browser exploit kits. As a partial compensating control, disabling Chrome's Wallet and payment features via enterprise policy (setting PaymentMethodQueryEnabled to false) would reduce exposure to this specific Wallet UI path, though this eliminates payment autofill functionality as a trade-off. No other documented workarounds are available from vendor sources at time of analysis.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34747
GHSA-5jwx-m54q-488f