Skip to main content

Google Chrome EUVDEUVD-2026-40690

| CVE-2026-14002 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-77v7-hgwq-94jj
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects the mandatory renderer-compromise prerequisite; all other metrics follow the provided vector, as UI:R and I:H are consistent with the spoofing impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:34 vuln.today
CVSS changed
Jul 01, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Geolocation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's Geolocation implementation allows an attacker who has already compromised the renderer process to present misleading geolocation-related interface elements to the user via a crafted HTML page. Affected versions are all Chrome releases prior to 150.0.7871.47. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate renderer-process flaw
Delivery
Gain code execution in Chrome renderer
Exploit
Serve crafted HTML page to victim
Execution
Abuse Geolocation implementation to generate spoofed UI
Impact
Deceive user into trusting false location signal

Vulnerability AssessmentAI

Exploitation Exploitation unconditionally requires that the attacker has already achieved code execution within the Chrome renderer process via a separate, prior vulnerability - this is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) overstates ease of exploitation: the PR:N metric does not capture the critical prerequisite that the renderer process must already be compromised before this vulnerability can be triggered. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate renderer-process vulnerability (such as a V8 engine flaw or memory corruption bug) to gain code execution within Chrome's renderer sandbox. From that compromised renderer, the attacker serves a crafted HTML page that abuses the inappropriate Geolocation implementation to render a spoofed browser UI element - for example, a fake geolocation permission prompt or a falsified location indicator - deceiving the user into believing a trusted site has or is requesting specific location access. …
Remediation Upgrade Google Chrome to version 150.0.7871.47 or later, which contains the vendor-released patch per the stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy