Description
Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-01-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Spoofing
Action: Patch
AI Analysis

Impact

The flaw resides in Blink, the rendering engine of Google Chrome on Android, where a specially crafted HTML page can convince the browser to display counterfeit user interface elements. This UI spoofing can mislead users into interacting with deceptive controls, potentially resulting in credential leakage or unintended actions, yet it does not require any code execution or privileged access. The weakness is cataloged as CWE‑451, reflecting a failure to enforce expected security properties for user interfaces.

Affected Systems

The vulnerability affects Google Chrome on Android versions older than 144.0.7559.59. Desktop builds of Chrome on Windows, macOS, Linux, and other operating systems are not impacted. Users running any Chrome variant other than the affected Android releases remain safe.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate severity. An EPSS score of less than 1 % suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need a user to visit a malicious or phishing web page; the attack vector is limited to content delivered over HTTP/HTTPS and does not provide direct code execution or privilege escalation.

Generated by OpenCVE AI on April 18, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to at least version 144.0.7559.59, which contains the Blink fix.
  • Enable Chrome’s Safe Browsing feature to help detect and block known malicious sites.
  • For managed devices, push the update through enterprise device management to ensure all users receive the patch automatically.

Generated by OpenCVE AI on April 18, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6100-1 chromium security update
History

Fri, 30 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 20 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Google chrome
Vendors & Products Google
Google android
Google chrome

Tue, 20 Jan 2026 04:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Android Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-01-20T14:06:33.879Z

Reserved: 2026-01-13T18:20:16.272Z

Link: CVE-2026-0901

cve-icon Vulnrichment

Updated: 2026-01-20T14:06:25.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T05:16:15.510

Modified: 2026-01-30T16:28:25.950

Link: CVE-2026-0901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses