Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium)
AnalysisAI
UI spoofing in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to manipulate the Password Manager's visual interface via crafted malicious network traffic, potentially deceiving users about credential prompts or password state. Exploitation requires user interaction (CVSS UI:R), limiting opportunistic mass exploitation. No public exploit code exists and no active exploitation is confirmed - EPSS sits at just 0.05% (15th percentile), consistent with a low-priority medium-severity browser component flaw. A vendor-released patch is available in Chrome 149.0.7827.53.
Technical ContextAI
The root cause is CWE-20 (Improper Input Validation): Chrome's Password Manager component fails to sufficiently validate network-supplied data before using it to render UI elements. Because browser password managers consume and display metadata sourced from network responses (e.g., form field attributes, site identity signals), an attacker-controlled server can craft responses that bypass validation and inject spoofed UI into the Password Manager interface. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the vulnerability is network-reachable with low attack complexity and no required privileges, but integrity impact is limited (I:L) and scope is unchanged, indicating the spoofing is confined to the browser UI layer rather than OS or cross-origin contexts. Affected CPE is Google Chrome desktop versions below 149.0.7827.53, as confirmed by EUVD-2026-34653.
RemediationAI
The primary remediation is upgrading Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released fix. Most Chrome installations update automatically; users should verify their version via chrome://settings/help and trigger a manual update if needed. The advisory is available at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. As a compensating control for environments that cannot update immediately, administrators can disable Chrome's built-in Password Manager via enterprise policy (PasswordManagerEnabled=false), which removes the vulnerable component from the attack surface at the cost of losing native credential autofill functionality - users would need to rely on a third-party password manager extension. Given the low EPSS and absence of active exploitation, forced emergency patching outside normal patch cycles is unlikely to be warranted for most organizations.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34653
GHSA-vwx3-v2xg-5c8h