Description
Incorrect security UI in Tab Strip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect security UI in Chrome’s Tab Strip allows a remote attacker to craft a malicious HTML page that displays a deceptive domain name, enabling users to believe they are on a trusted site. Based on the description, it is inferred that a user may provide sensitive information to the attacker, potentially leading to credential theft or other social‑engineering attacks by compromising user confidence in the address bar.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. Users of the stable channel before this patch must upgrade to mitigate the flaw.

Risk and Exploitability

The vulnerability is low severity, with a CVSS score of 6.5, an EPSS score of < 1%, and it is not listed in the CISA KEV catalog. The attack requires a remote attacker to host a crafted HTML page and have a user visit it; the likely attack vector is a user browsing to a malicious site that presents a spoofed domain in the UI. Once the deception is accepted, the user may unknowingly provide sensitive information to the attacker.

Generated by OpenCVE AI on June 7, 2026 at 16:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later.
  • Ensure Chrome Safe Browsing and phishing protection are enabled to help detect spoofed sites.
  • Review Google’s security notices to stay informed about future fixes.

Generated by OpenCVE AI on June 7, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via Incorrect Security UI in Chrome Tab Strip chromium-browser: Incorrect security UI in Tab Strip
Weaknesses CWE-449
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via Incorrect Security UI in Chrome Tab Strip

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via Incorrect Security UI in Chrome Tab Strip
Weaknesses CWE-200

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via Incorrect Security UI in Chrome Tab Strip
Weaknesses CWE-200

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Tab Strip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:11:36.616Z

Reserved: 2026-06-04T17:10:54.867Z

Link: CVE-2026-11222

cve-icon Vulnrichment

Updated: 2026-06-05T14:11:32.559Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:29.920

Modified: 2026-06-05T20:23:03.997

Link: CVE-2026-11222

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11222 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses
  • CWE-449

    The UI Performs the Wrong Action

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information