Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
URL bar spoofing yields only integrity impact; A:N replaces vendor's A:L as no availability mechanism is described; remaining metrics match description and confirmed CVSS vector.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Omnibox (URL bar) spoofing in Google Chrome on Linux prior to 150.0.7871.47 is possible through an inappropriate SplitView implementation, allowing remote attackers to display false URLs to victims who are tricked into performing specific UI gestures on a crafted HTML page. This CWE-451 class flaw undermines browser trust indicators and enables phishing scenarios, though exploitation is constrained by high attack complexity and mandatory user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the victim must be running Google Chrome on Linux specifically - the CVE is scoped to Linux and no other platforms are affected; (2) the Chrome version must be prior to 150.0.7871.47; (3) the victim must visit a crafted HTML page AND actively perform specific UI gestures, confirmed by CVSS UI:R and the description's explicit 'specific UI gestures' language; (4) the attacker must engineer those gestures via social engineering or page design. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L yields a base score of 4.2, which accurately reflects the constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a crafted HTML page and lures a Linux Chrome user to visit it via phishing or malvertising. The page is designed to prompt the user into performing specific SplitView UI gestures - such as drag or split interactions - which trigger the Omnibox misrepresentation, causing the URL bar to display a trusted domain (e.g., a bank or identity provider) while the user remains on the attacker-controlled origin. … |
| Remediation | Vendor-released patch: Chrome 150.0.7871.47 for Linux. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40717
GHSA-xjcw-cwpv-wfvx