The vulnerability is found in Google Chrome’s Split View UI where security indicators are rendered incorrectly. A remote attacker can deliver a crafted HTML page that, when opened in a Chrome instance before version 144.0.7559.59, causes the browser to display a spoofed security badge or icon that misleads the user into believing the site is protected. This deception facilitates phishing or credential theft by tricking users into submitting sensitive information. The flaw originates from insufficient validation of UI elements within Split View and is classified as CWE‑451.

All desktop installations of Google Chrome running a version earlier than 144.0.7559.59 on Windows, macOS, or Linux are affected. The issue is tied to the stable channel and applies to users who have not updated Chrome after the January 2026 release cycle.

The CVSS score of 9.8 designates this bug as critical; however, the current EPSS score is less than 1 %, indicating a low probability of exploitation at this time. It is not listed in the CISA KEV catalog, so no widespread public exploitation is documented. Nevertheless, the attack vector is a malicious web page loaded in the browser, which is trivial for an attacker to craft and distribute over the internet, making the vulnerability highly actionable for anyone who can serve such a page to a user.