Skip to main content

Google Chrome EUVDEUVD-2026-34693

| CVE-2026-11232 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-04 chrome-cve-admin@google.com GHSA-wh64-wf5g-w6pr
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 13:27 vuln.today
CVSS changed
Jun 05, 2026 - 13:22 NVD
5.4 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 5.4

DescriptionNVD

Inappropriate implementation in TabGroups in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)

AnalysisAI

UI spoofing via malicious network traffic in Google Chrome's TabGroups feature (all versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent browser interface elements to victims, exploiting CWE-451 (UI Misrepresentation of Critical Information). The CVSS 5.4 score reflects limited but real confidentiality and availability impact (C:L/A:L), with Chromium's own severity team rating it Low. No public exploit identified at time of analysis, and Google has released a remediation in the 149.0.7827.53 stable channel update.

Technical ContextAI

CWE-451 describes failures where a UI presents information in a way that misleads users about security-critical state. In this case, the TabGroups subsystem - Chrome's feature for organizing browser tabs into labeled, color-coded groups - contains an inappropriate implementation that can be influenced by crafted network traffic. An attacker controlling network responses can cause the TabGroups UI to render misleading visual elements such as spoofed group names, labels, or trust indicators. This falls within Chromium's rendering/browser-chrome attack surface where the boundary between content (attacker-controlled) and browser UI (trusted) is insufficiently enforced. No CPE string was provided in the intelligence data, but the affected product is confirmed as Google Chrome desktop builds prior to 149.0.7827.53.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later, which includes the fix for this vulnerability per the stable channel update advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome typically auto-updates when the browser is restarted; administrators managing enterprise fleets should push the update via Google Admin Console or applicable MDM. As a compensating control where immediate patching is not feasible, disabling or restricting use of the TabGroups feature reduces exposure - this can be enforced via the TabGroupsEnabled Chrome policy, though this removes tab organization functionality for users. No additional workarounds are documented in available references.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy