Description
Incorrect security UI in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw involves an incorrect security UI in the TabStrip of Google Chrome, allowing a remote attacker to spoof authentication indicators through a crafted HTML page. A user browsing a malicious or phishing site could be misled into believing the site is secure, potentially leading to credential disclosure or untrusted actions. The vulnerability is a medium severity issue according to Chromium security teams, and it specifically permits the attacker to influence what a legitimate user sees when interacting with a web interface. The issue is not an arbitrary code execution or memory corruption bug; it is a purely client‑side visual deception that could be leveraged for social‑engineering attacks.

Affected Systems

Affected by the CNA is Google Chrome for all platforms before version 150.0.7871.47. The vulnerability manifests in all builds of the browser that use the legacy TabStrip component, regardless of platform or operating system, because the flaw resides in the shared UI code.

Risk and Exploitability

The CVE is not listed in the CISA KEV catalog and no EPSS score is available, indicating limited publicly known exploitation. The attack vector requires the attacker to host a crafted HTML page that is visited by a user of a vulnerable browser. The flaw does not require remote code execution or privileged access, but it does provide a convincing UI spoof that an attacker could use for phishing or social engineering. The CSP or same‑origin policy does not mitigate the visual deception, so the risk remains moderate until the vendor releases, and a fix is available in Chrome 150.0.7871.47 and later.

Generated by OpenCVE AI on July 1, 2026 at 02:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Chrome update to version 150.0.7871.47 or newer.
  • Verify that the security UI in the TabStrip correctly displays the lock icon for HTTPS sites.
  • If a temporary postponement of the update is necessary, enable Chrome’s Safe Browsing and block suspicious extensions that may alter the browser’s UI rendering.

Generated by OpenCVE AI on July 1, 2026 at 02:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing via Incorrect Security UI in TabStrip
Weaknesses CWE-151
CWE-653

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:45.441Z

Reserved: 2026-06-29T23:04:08.451Z

Link: CVE-2026-13984

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-151

    Improper Neutralization of Comment Delimiters

  • CWE-653

    Improper Isolation or Compartmentalization