Skip to main content

Google Chrome CVE-2026-14030

| EUVDEUVD-2026-40717 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-xjcw-cwpv-wfvx
4.2
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
vuln.today AI
3.1 LOW

URL bar spoofing yields only integrity impact; A:N replaces vendor's A:L as no availability mechanism is described; remaining metrics match description and confirmed CVSS vector.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:38 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
4.2 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.2

DescriptionCVE.org

Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Omnibox (URL bar) spoofing in Google Chrome on Linux prior to 150.0.7871.47 is possible through an inappropriate SplitView implementation, allowing remote attackers to display false URLs to victims who are tricked into performing specific UI gestures on a crafted HTML page. This CWE-451 class flaw undermines browser trust indicators and enables phishing scenarios, though exploitation is constrained by high attack complexity and mandatory user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page
Delivery
Lure Linux Chrome user to page
Exploit
Social-engineer specific SplitView UI gestures
Execution
SplitView misrepresents Omnibox URL
Persist
Victim trusts spoofed URL
Impact
Credential or session phishing succeeds

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the victim must be running Google Chrome on Linux specifically - the CVE is scoped to Linux and no other platforms are affected; (2) the Chrome version must be prior to 150.0.7871.47; (3) the victim must visit a crafted HTML page AND actively perform specific UI gestures, confirmed by CVSS UI:R and the description's explicit 'specific UI gestures' language; (4) the attacker must engineer those gestures via social engineering or page design. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L yields a base score of 4.2, which accurately reflects the constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page and lures a Linux Chrome user to visit it via phishing or malvertising. The page is designed to prompt the user into performing specific SplitView UI gestures - such as drag or split interactions - which trigger the Omnibox misrepresentation, causing the URL bar to display a trusted domain (e.g., a bank or identity provider) while the user remains on the attacker-controlled origin. …
Remediation Vendor-released patch: Chrome 150.0.7871.47 for Linux. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy