Description
Incorrect security UI in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Chrome’s PageInfo interface, where the security UI is rendered incorrectly for browsers prior to version 150.0.7871.47. A remotely hosted web page can exercise a crafted set of user interface gestures, causing the browser to display misleading security information. An attacker who convinces a user to engage in the required gestures could make the user believe a compromised or untrusted connection is secure, potentially leading to credential theft or other phishing‑style attacks. The vulnerability does not expose code execution or privilege escalation, and its Chrome severity rating is medium.

Affected Systems

All users of Google Chrome versions older than 150.0.7871.47 are affected; no other vendors or products are listed. The issue is limited to the Chrome stable channel on desktop platforms.

Risk and Exploitability

No EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been widely exploited. Exploitation requires the user to perform specific UI gestures after being tricked by a remote web page, so it is a selective threat that mostly targets individuals who interact with malicious sites. The medium severity rating reflects the potential for serious social‑engineering damage, but the absence of known public exploits reduces the current threat level to moderate pending a patch.

Generated by OpenCVE AI on July 1, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later. This patch removes the incorrect PageInfo UI rendering and invalidates the attack path.
  • Ensure that Chrome auto‑update is enabled so the browser remains current. New security releases roll out automatically on most operating systems.
  • Exercise caution with unfamiliar web pages: avoid initiating the UI gestures (e.g., clicking context menus or dragging UI elements) when unsure about a site's authenticity.

Generated by OpenCVE AI on July 1, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Chrome PageInfo UI Spoofing via Crafted HTML
Weaknesses CWE-200
CWE-606

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:59:28.684Z

Reserved: 2026-06-29T23:04:01.249Z

Link: CVE-2026-13956

cve-icon Vulnrichment

Updated: 2026-07-01T01:52:52.486Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information

  • CWE-606

    Unchecked Input for Loop Condition