Description
Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Chrome’s accessibility subsystem allows a remote attacker to craft a malicious HTML page that can spoof the user interface on Android devices. By loading this page in the browser, the attacker can misleadingly present content or controls so that the user believes they are interacting with a legitimate application screen. This flaw could be used to phish credentials or otherwise manipulate user actions, representing a high‑severity impact on confidentiality and integrity of user data.

Affected Systems

The flaw is present in Google Chrome for Android versions prior to 149.0.7827.53. All installations of Chrome on Android running an older revision are affected; the June 2026 stable channel update contains the patch.

Risk and Exploitability

Chromium labels the weakness as high severity, but the EPSS score is not provided and the vulnerability is not yet listed in CISA’s KEV catalog, indicating no confirmed widespread exploits. The likely attack vector is a remote attacker delivering the malicious page through a web server or email link; no local privilege is required. The absence of a KEV listing suggests the risk of exploitation is currently lower, though the potential impact justifies timely remediation.

Generated by OpenCVE AI on June 5, 2026 at 03:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for Android to version 149.0.7827.53 or newer, as delivered in the June 2026 stable channel update
  • If an upgrade cannot be performed immediately, disable Chrome’s accessibility service in device Settings > Accessibility to reduce the attack surface
  • Ensure that the Android OS, Google Play Store, and Play Protect are up to date with automatic updates enabled so future patches reach the device promptly

Generated by OpenCVE AI on June 5, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Remote UI Spoofing via Crafted HTML Page in Chrome for Android
Weaknesses CWE-79

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:08.025Z

Reserved: 2026-06-04T17:06:22.143Z

Link: CVE-2026-10984

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T23:17:01.757

Modified: 2026-06-05T15:02:59.990

Link: CVE-2026-10984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:15:33Z

Weaknesses