Description
Insufficient validation of untrusted input in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability involves insufficient validation of untrusted input within Chrome’s CustomTabs component on Android, allowing a local attacker to supply a malicious file that tricks the browser into displaying a spoofed user interface. The exploit can subvert user trust by presenting counterfeit content or actions, potentially leading to additional malicious activity. The advisory rates the severity as Medium.

Affected Systems

Google Chrome for Android versions earlier than 150.0.7871.47 are vulnerable. The issue was identified in the CustomTabs feature, which is part of the browser’s core functionality.

Risk and Exploitability

An attacker must have local access to the device to create or place a malicious file that initiates the CustomTabs view. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that large-scale exploitation has not been observed. The issue is rated Medium in Chromium’s internal security assessment, and because the exploit requires local interaction, the overall risk is moderate, particularly for users running untrusted applications or files.

Generated by OpenCVE AI on July 1, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later.
  • Enable automatic updates for Google Chrome to receive future security patches promptly.
  • Restrict installation of untrusted applications that could create malicious files and monitor the device for suspicious file activity.

Generated by OpenCVE AI on July 1, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local UI Spoofing via Malicious File in Chrome CustomTabs on Android

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:34.777Z

Reserved: 2026-06-29T23:04:01.002Z

Link: CVE-2026-13955

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:30:06Z

Weaknesses
  • CWE-20

    Improper Input Validation