Description
Inappropriate implementation in Media UI in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate implementation in the Media UI of Google Chrome on ChromeOS enables a remote attacker, after convincing a user to perform specific UI gestures, to spoof UI elements through a crafted HTML page. The vulnerability can trick users into interacting with counterfeit or malicious UI components, facilitating phishing or social‑engineering exploits. It does not grant code execution or privilege escalation, but it undermines interface integrity.

Affected Systems

Chrome on ChromeOS prior to version 150.0.7871.47 is affected. Updating to that version or later removes the flaw; no other platforms are listed as impacted.

Risk and Exploitability

Chromium classifies the issue as Medium severity; no CVSS score is published, EPSS data is unavailable, and the flaw is not in CISA’s KEV catalog. Exploitation requires a remote attacker hosting a crafted HTML page and persuading a user to perform specific gestures, so user interaction is a prerequisite. Because of this intent‑driven requirement, the overall risk is low to moderate, though it can be leveraged for targeted social‑engineering attacks.

Generated by OpenCVE AI on July 1, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on ChromeOS to version 150.0.7871.47 or later
  • Configure Chrome to automatically apply stable channel updates on ChromeOS devices
  • Educate users to avoid unsolicited UI gestures and suspicious HTML content

Generated by OpenCVE AI on July 1, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:45:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Crafted HTML Page in ChromeOS Media UI
Weaknesses CWE-1021

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Media UI in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:58:44.137Z

Reserved: 2026-06-29T23:04:10.608Z

Link: CVE-2026-13986

cve-icon Vulnrichment

Updated: 2026-07-01T01:52:45.932Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:30:16Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information