Skip to main content

Google Chrome EUVDEUVD-2026-34755

| CVE-2026-11294 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-05 chrome-cve-admin@google.com GHSA-fx4r-j53w-6x62
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 21:01 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome's Passwords component (all versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to visually mislead users via a crafted HTML page, exploiting CWE-451 misrepresentation of critical UI information. The integrity-only impact (CVSS I:L, C:N, A:N) is consistent with a spoofed password prompt or save dialog that could trick users into revealing credentials or accepting malicious input. No public exploit code exists, EPSS is 0.03% (11th percentile), and CISA has not added this to KEV, making this a low operational priority despite being network-reachable.

Technical ContextAI

CWE-451 (User Interface Misrepresentation of Critical Information) describes flaws where a product displays information or UI elements in a way that misleads the user about the true context or origin. In this case, Chrome's internal Passwords subsystem - responsible for rendering password save/autofill prompts and credential UI - contains an 'inappropriate implementation' that a crafted HTML page can abuse to render a spoofed password-related UI element. The CVSS scope is unchanged (S:U), meaning the exploit is confined to the browser's own process and cannot directly escape to the OS. The affected CPE is Google Chrome prior to version 149.0.7827.53 on desktop platforms. The Chromium issue tracker reference (issues.chromium.org/issues/502403953) may contain further internal detail, but its public accessibility is not confirmed.

RemediationAI

The primary fix is to upgrade Google Chrome to version 149.0.7827.53 or later, which resolves this vulnerability per the vendor's stable channel release advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism should handle this for most users; enterprise administrators should verify deployment via fleet management tooling. No vendor-documented workaround is available for environments that cannot immediately update. As a compensating control, organizations can consider disabling Chrome's built-in password manager via enterprise policy (PasswordManagerEnabled=false) and redirecting users to a managed password manager - note this trade-off degrades password hygiene if no alternative is provided. Given the low CVSS score, low EPSS, and absence of known exploits, urgent emergency patching is not indicated; inclusion in the next routine patch cycle is appropriate.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy