Impact
The flaw lies in an improper UI implementation in Google Chrome versions prior to 150.0.7871.47. A remote attacker can convince a user to perform specific UI gestures after loading a crafted HTML page. The attacker can then spoof the user interface, leading the user to believe they are interacting with a legitimate page. This UI spoofing can mislead a user, potentially causing credential disclosure or unintended actions. The vulnerability is categorized as a medium‑security issue by Chromium.
Affected Systems
All versions of Google Chrome before the 150.0.7871.47 release are vulnerable. The attack requires only a standard browser boot; no other components are affected. The issue is limited to the UI layer of the browser.
Risk and Exploitability
The vulnerability is remotely exploitable via a web page that a user visits. The attacker needs to convince the user to engage in particular UI gestures; no elevated privileges are required. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, indicating no known widespread activity. Chromium rates the flaw as medium severity, so while the risk is not critical, it may still facilitate phishing or credential theft. The lack of a public exploit and low visibility diminishes the immediate threat but still warrants timely remediation.
OpenCVE Enrichment