Skip to main content

Google Chrome EUVDEUVD-2026-40644

| CVE-2026-13956 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-8g45-73h2-9mgw
4.2
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
vuln.today AI
3.1 LOW

UI spoofing via PageInfo is network-delivered with specific gesture requirements (AC:H, UI:R); impact is limited to misleading security indicators (I:L) with no availability or confidentiality impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:31 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
4.2 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.2
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Incorrect security UI in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's PageInfo component (all versions prior to 150.0.7871.47) enables remote attackers to misrepresent the browser's security indicators through a crafted HTML page that induces specific user UI gestures. The flaw (CWE-451) causes the PageInfo panel - the panel users consult to evaluate site trustworthiness - to render incorrect security UI, potentially deceiving victims into trusting malicious or unverified origins. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page on attacker-controlled domain
Delivery
Lure victim via phishing or malvertising
Exploit
Victim visits page and performs specific UI gestures
Execution
Trigger PageInfo security UI misrender
Persist
Display spoofed security indicators in Chrome panel
Impact
Victim trusts malicious origin and discloses sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim visit a crafted HTML page AND perform specific UI gestures as orchestrated by the attacker - this is confirmed by UI:R (required user interaction) and AC:H (high attack complexity) in the CVSS vector, meaning conditions beyond attacker control must align. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.2 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L reflects a bounded real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain mimicking a trusted financial or identity provider and serves a crafted HTML page engineered to trigger the PageInfo rendering flaw. After luring the victim to the page via phishing link, the attacker's page prompts specific UI interactions - such as clicking a fake UI element positioned near the address bar - causing Chrome's PageInfo panel to display falsely reassuring security indicators (e.g., a secure-site appearance for an insecure origin). …
Remediation The primary fix is upgrading Google Chrome to version 150.0.7871.47 or later, which corrects the incorrect security UI in the PageInfo component; this is confirmed by the Chrome stable channel advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy