CVE-2026-0904 - Vulnerability Details

- chromium-browser: Incorrect security UI in Digital Credentials

Description

Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-01-20

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves an incorrect security UI in the Digital Credentials feature of Google Chrome, allowing a remote attacker to perform domain spoofing by serving a specially crafted HTML page. This flaw compromises user trust by presenting a false indication of the site’s domain, potentially leading to phishing or credential theft.

Affected Systems

Affected are Google Chrome users on versions earlier than 144.0.7559.59 across all supported operating systems, as identified by the CVE. This affects the desktop distribution of Chrome for Windows, macOS, and Linux.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, and the EPSS score of less than 1% indicates low likelihood of exploitation in the wild. The vulnerability is not listed in the KEV catalog. Attackers could exploit the flaw by hosting a malicious web page that triggers the spoofing behavior, thus requiring the victim to visit the page; no local privileges or special permissions are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`144.0.7559.59`	affected	< 144.0.7559.59

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Google	Chrome	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest Google Chrome update (v144.0.7559.59 or newer).
Restart Chrome to ensure the new binaries are in use.
If the vulnerability continues to display, report the issue to Google via their issue tracker.

Generated by OpenCVE AI on April 18, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6100-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/452209495
https://nvd.nist.gov/vuln/detail/CVE-2026-0904
https://www.cve.org/CVERecord?id=CVE-2026-0904

History

Thu, 29 Jan 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Wed, 21 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Incorrect security UI in Digital Credentials
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0904 https://www.cve.org/CVERecord?id=CVE-2026-0904
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 20 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Tue, 20 Jan 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)
References		https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209495

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-01-20T04:14:16.238Z

Updated: 2026-01-20T15:26:56.630Z

Reserved: 2026-01-13T18:20:17.429Z

Link: CVE-2026-0904

Vulnrichment

Updated: 2026-01-20T14:56:19.884Z

NVD

Status : Analyzed

Published: 2026-01-20T05:16:15.893

Modified: 2026-01-29T20:22:51.227

Link: CVE-2026-0904

Redhat

Severity : Moderate

Publid Date: 2026-01-13T00:00:00Z

Links: CVE-2026-0904 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses

CWE-451

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object