Description
Inappropriate implementation in Video Capture in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an inadequate implementation of the Video Capture component in Google Chrome on ChromeOS. A local attacker who can present a crafted HTML page can deceive the browser into displaying UI elements that do not reflect the true state of the device, such as fake camera or microphone indicators. This manipulation of the user interface can lead to deceptive interactions and is categorized as a local UI spoofing flaw, indexed as CWE-20.

Affected Systems

The flaw impacts any ChromeOS system running Google Chrome versions earlier than 150.0.7871.47. The issue was resolved in the 150.0.7871.47 stable channel update; newer Chromium releases are not affected.

Risk and Exploitability

Because the attack requires local access with a crafted webpage, exposure is limited to users who can open the malicious page or execute code on the machine. The vulnerability is not remotely exploitable and is not listed in the CISA KEV catalog. Chromium reports the severity as medium, and no EPSS data is available, indicating a moderate overall risk, though social engineering impact could be significant in mixed‑user environments.

Generated by OpenCVE AI on July 1, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome on ChromeOS to 150.0.7871.47 or later to apply the UI spoofing fix.
  • If upgrading is delayed, isolate vulnerable user accounts and restrict local web browsing or disable camera device access for pages until the patch is installed.
  • Use Chrome settings or extensions to block camera and microphone access for all sites until the update is applied.

Generated by OpenCVE AI on July 1, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Local UI Spoofing via Video Capture Misimplementation in Chrome on ChromeOS

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Video Capture in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:30.043Z

Reserved: 2026-06-29T23:03:57.776Z

Link: CVE-2026-13942

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation