Impact
The flaw involves an incorrect security UI in the TabStrip of Google Chrome, allowing a remote attacker to spoof authentication indicators through a crafted HTML page. A user browsing a malicious or phishing site could be misled into believing the site is secure, potentially leading to credential disclosure or untrusted actions. The vulnerability is a medium severity issue according to Chromium security teams, and it specifically permits the attacker to influence what a legitimate user sees when interacting with a web interface. The issue is not an arbitrary code execution or memory corruption bug; it is a purely client‑side visual deception that could be leveraged for social‑engineering attacks.
Affected Systems
Affected by the CNA is Google Chrome for all platforms before version 150.0.7871.47. The vulnerability manifests in all builds of the browser that use the legacy TabStrip component, regardless of platform or operating system, because the flaw resides in the shared UI code.
Risk and Exploitability
The CVE is not listed in the CISA KEV catalog and no EPSS score is available, indicating limited publicly known exploitation. The attack vector requires the attacker to host a crafted HTML page that is visited by a user of a vulnerable browser. The flaw does not require remote code execution or privileged access, but it does provide a convincing UI spoof that an attacker could use for phishing or social engineering. The CSP or same‑origin policy does not mitigate the visual deception, so the risk remains moderate until the vendor releases, and a fix is available in Chrome 150.0.7871.47 and later.
OpenCVE Enrichment