Description
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper implementation in Chrome's Paint module can be triggered by a malicious HTML page, allowing a remote attacker to perform UI spoofing on the victim's browser. The primary impact is the display of deceptive graphics or interface elements that may mislead a user into interacting with content that appears legitimate. The weakness stems from insufficient validation of rendered UI elements. Based on the description, it is inferred that the attacker can craft a page that causes the browser to display a fake prompt or button, potentially encouraging the user to disclose sensitive information or unknowingly accept a malicious action.

Affected Systems

Google Chrome browsers running any version older than 150.0.7871.47 are affected. The issue resides only in the Paint component of desktop releases; newer versions have removed the vulnerable code paths and are not impacted.

Risk and Exploitability

Chromium assigns a Medium severity to this vulnerability, but no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is a remote web page that a user can visit, which then triggers the Paint module to render spoofed UI. Because there are no publicly known exploits and no KEV listing, the current likelihood of exploitation is low, though users of older Chrome versions remain at risk.

Generated by OpenCVE AI on July 1, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or newer, which removes the vulnerable Paint code.
  • Enable automatic updates so that future security fixes are applied without manual intervention.
  • If an upgrade is not immediately possible, restrict the usage of the Paint feature or disable plugin execution that could load malicious content until the patch is applied.

Generated by OpenCVE AI on July 1, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Title Chrome Paint UI Spoofing Vulnerability
Weaknesses CWE-1032
CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:46.890Z

Reserved: 2026-06-29T23:04:11.306Z

Link: CVE-2026-13988

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:30:17Z

Weaknesses
  • CWE-1032
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')