Description
Insufficient policy enforcement in Extensions in Google Chrome on Linux prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Google Chrome for Linux allows a malicious extension, once installed by convincing a user, to perform UI spoofing. This enables attackers to mimic legitimate interface elements or dialog boxes, potentially tricking users into revealing credentials or executing unintended actions. Because the vulnerability stems from insufficient policy enforcement for extensions, it can affect any Chrome session where the attacker’s extension runs, compromising user interaction and trust in the browser.

Affected Systems

Google Chrome versions prior to 150.0.7871.47 on Linux operating systems are affected, as the issue arises from how extensions are managed before this patch release.

Risk and Exploitability

The vulnerability carries a Chromium security severity of Medium. It is not indexed in CISA’s KEV catalog and lacks an EPSS score, indicating low publicly known exploitation activity so far. However, attackers can exploit it by persuading users to install a crafted extension, then leveraging the spoofed UI to deceive users. The attack vector requires user interaction to install the extension, but once installed, the malicious code runs with the extension’s privileges and can interact with the browser’s UI.

Generated by OpenCVE AI on July 1, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later, which implements proper policy enforcement for extensions
  • Review and remove existing Chrome extensions that seem suspicious or are not from trusted sources
  • Educate users about the risks of installing extensions from unverified developers and the need to scrutinize requested permissions

Generated by OpenCVE AI on July 1, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome Extensions Allows UI Spoofing on Linux
Weaknesses CWE-1021

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Extensions in Google Chrome on Linux prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:31.142Z

Reserved: 2026-06-29T23:03:58.505Z

Link: CVE-2026-13945

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames