Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
UI spoofing is network-delivered (AV:N) with high complexity due to required gesture sequence (AC:H); no availability impact is substantiated by a UI-only misrepresentation flaw.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Incorrect security UI in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to misrepresent security indicators to users who are socially engineered into performing specific UI gestures on a crafted HTML page. The root cause is incorrect rendering of security UI elements (CWE-451), classified by the Chromium team as Low severity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to be running Google Chrome for iOS on an Apple iOS device with Chrome version below 150.0.7871.47. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L) assigns a score of 4.2, with High Attack Complexity being the most significant risk-limiting factor - exploitation requires convincing a user to perform specific, presumably non-obvious UI gestures in addition to visiting a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a crafted HTML page designed to trigger the incorrect security UI rendering in Chrome for iOS, then distributes a link via phishing email or malicious advertisement. When a victim on an unpatched iOS device visits the page and is manipulated into performing specific swipe or tap gestures, the browser's security indicators (such as the address bar or origin display) are spoofed, potentially leading the user to believe they are on a trusted site. … |
| Remediation | Update Google Chrome on iOS to version 150.0.7871.47 or later via the Apple App Store. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40716
GHSA-mvjh-xxj9-wvhq