Description
Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chromium’s accessibility subsystem contains an inappropriate implementation that allows a remote attacker to deliver a crafted HTML page and perform UI spoofing on Android devices. When the page is opened in Chrome, the browser displays misleading controls or interfaces that mimic legitimate application screens, potentially tricking users into revealing sensitive information. The flaw is captured as CWE‑451 and CWE‑1021 and is rated as High by Chromium.

Affected Systems

The vulnerability applies to Google Chrome on Android platforms that have not yet received the June 2026 stable channel update. The CVE information does not specify individual version numbers, so all installations of Chrome for Android prior to the latest update remain potentially vulnerable.

Risk and Exploitability

Chromium assigns a CVSS score of 5.4, indicating a medium risk level, while the EPSS score is < 1%, suggesting a low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker delivering the malicious page through a web server, email link, or other internet content, with no local privilege escalation required. Although exploitation is considered unlikely, the impact of UI spoofing justifies timely remediation.

Generated by OpenCVE AI on June 7, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on Android to version 149.0.7827.53 or later, which contains the vendor's fix.
  • If an update is not immediately available, disable Chrome’s accessibility features or use an alternative browser for sensitive browsing to reduce the opportunity for UI spoofing.
  • Implement network‑level content filtering or DNS‑based filtering to block known malicious hosts that might serve crafted pages.

Generated by OpenCVE AI on June 7, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Inappropriate Accessibility Implementation Causing UI Spoofing in Chrome Android chromium-browser: Inappropriate implementation in Accessibility
Weaknesses CWE-1021
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Inappropriate Accessibility Implementation Causing UI Spoofing in Chrome Android

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Remote UI Spoofing via Crafted HTML Page in Chrome for Android
Weaknesses CWE-79

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Remote UI Spoofing via Crafted HTML Page in Chrome for Android
Weaknesses CWE-79

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T18:04:11.444Z

Reserved: 2026-06-04T17:06:22.143Z

Link: CVE-2026-10984

cve-icon Vulnrichment

Updated: 2026-06-05T18:03:45.485Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:01.757

Modified: 2026-06-05T20:38:13.473

Link: CVE-2026-10984

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T17:30:04Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information