Description
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Chrome for iOS versions prior to 149.0.7827.53 allows a remote attacker to construct a crafted HTML page that mimics legitimate UI elements. The affected browser renders the page in a manner that can deceive users into believing it is part of the genuine application interface, potentially leading to credential disclosure or other malicious actions performed by the user without their knowledge.

Affected Systems

The vulnerability impacts Google Chrome on iOS devices running any version before the 149.0.7827.53 update. No specific sub‑revision list is supplied, but all builds older than the mentioned release are susceptible. The attack surface is limited to the Chrome iOS app and does not affect other Google or non‑Google browsers on iOS.

Risk and Exploitability

The CVE is classified with a low severity rating and is not listed in the CISA KEV catalog; an EPSS score is not available. The exploit requires the victim to visit a maliciously constructed web page, meaning the attack is remote and does not require local escalation. Because the issue is confined to UI deception rather than code execution, the direct exploitation risk is modest, but the potential for phishing and credential compromise remains a concern as the malicious page is presented within a trusted browser environment.

Generated by OpenCVE AI on June 5, 2026 at 00:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Chrome version 149.0.7827.53 or later on all iOS devices to eliminate the bug
  • If an immediate update cannot be applied, disable pop‑ups and JavaScript for untrusted sites within iOS Safari or consider using a parental control or security app that blocks or warns about suspicious content
  • Enable Chrome’s Safe Browsing and phishing protection features to provide an additional layer of defense against deceptive pages

Generated by OpenCVE AI on June 5, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Crafted HTML Page in Chrome for iOS
Weaknesses CWE-264
CWE-79

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:18.473Z

Reserved: 2026-06-04T17:11:15.554Z

Link: CVE-2026-11285

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:05.920

Modified: 2026-06-05T00:17:05.920

Link: CVE-2026-11285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:00:18Z

Weaknesses