Skip to main content

Google Chrome CVE-2026-14142

| EUVDEUVD-2026-40829 MEDIUM
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-30 chrome-cve-admin@google.com GHSA-jgch-4h46-4q53
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

Renderer-process compromise is an explicit prerequisite raising AC to H; UI spoofing yields only limited C/I impact with no availability or scope change.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:10 vuln.today
CVSS changed
Jul 01, 2026 - 16:07 NVD
5.4 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 nvd
MEDIUM 5.4

DescriptionNVD

Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome's Extensions implementation (all versions prior to 150.0.7871.47) enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to render deceptive UI elements through a crafted HTML page, potentially misleading users into unintended interactions. The vulnerability carries a CVSS 5.4 Medium score, though Chromium's internal rating is Low, and the EPSS score of 0.18% (8th percentile) reflects minimal exploitation probability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate Chrome renderer vulnerability
Delivery
Gain control of sandboxed renderer process
Exploit
Deliver crafted HTML page via Extensions API
Execution
Spoof trusted Chrome UI elements (e.g., permission dialog)
Persist
Deceive user into interacting with fake UI
Impact
Achieve limited confidentiality or integrity impact

Vulnerability AssessmentAI

Exploitation Exploitation requires two distinct prerequisites: (1) the attacker must have already compromised the Chrome renderer process through a separate, unrelated vulnerability - this is an explicit condition stated in the CVE description and is not a trivial prerequisite; and (2) user interaction (UI:R) is required, meaning the victim must interact with the spoofed UI element for the attack to succeed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is materially lower than the NVD CVSS 5.4 suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already leveraged a separate, unpatched Chrome renderer vulnerability to gain control of the sandboxed renderer process could then deliver a crafted HTML page that abuses the Extensions subsystem to overlay fake Chrome UI elements - such as a spoofed permission dialog claiming to be a trusted Chrome prompt - causing the victim user to unknowingly grant access or disclose credentials. No public proof-of-concept code for this specific CVE has been identified, making opportunistic mass exploitation unlikely; targeted use as a second-stage chained exploit is the realistic threat model.
Remediation Vendor-released patch: Chrome 150.0.7871.47. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy