Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in OptimizationGuide in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
UI spoofing in Google Chrome's OptimizationGuide component (all versions prior to 148.0.7778.216) enables a remote unauthenticated attacker who has already compromised the renderer process to present false browser UI elements to the user via a crafted HTML page. The root cause is CWE-20 (Improper Input Validation) - OptimizationGuide fails to adequately validate untrusted data sourced from the renderer, allowing that data to influence trusted browser UI surfaces. With a CVSS score of 4.2, EPSS at 0.05% (15th percentile), no KEV listing, and no public exploit identified at time of analysis, real-world risk is moderate-low despite the network vector, heavily gated by the renderer-compromise prerequisite.
Technical ContextAI
OptimizationGuide is a Chrome subsystem responsible for delivering machine-learning-based performance hints, model inference, and optimization signals to various browser components. It sits at the boundary between the renderer (sandboxed, lower-trust) and the browser process (higher-trust), making it a meaningful target for sandbox-escape or cross-context manipulation. CWE-20 (Improper Input Validation) at this boundary means that renderer-supplied data is passed into OptimizationGuide without sufficient sanitization or trust enforcement, allowing it to influence browser UI rendering in unintended ways. The CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* confirms this affects the desktop Chrome application across platforms. The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U reflects a network-delivered attack requiring prior renderer compromise (captured in AC:H) and a user visiting a crafted page (UI:R), with unchanged scope indicating the exploit does not itself escape to the OS layer.
RemediationAI
Vendor-released patch: Chrome 148.0.7778.216. Update Google Chrome to version 148.0.7778.216 or later immediately via the browser's built-in update mechanism (Help > About Google Chrome) or through enterprise deployment tools (GPO, Google Admin Console). The fix is confirmed in the official Stable Channel Update advisory at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html. Because exploitation requires a prior renderer compromise, organizations that enforce Chrome's Site Isolation feature (enabled by default in modern Chrome) and keep renderer sandboxing intact reduce the practical exploitability of this and similar second-stage UI spoofing issues. Restricting access to untrusted or high-risk web content through enterprise web filtering provides an additional compensating control while updates are being deployed, at the cost of potential productivity impact from over-blocking. No workaround eliminates the vulnerability - patching is the only definitive fix.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33128
GHSA-g8q5-42mc-pjxg