Impact
An improper implementation in Chrome's Paint module can be triggered by a malicious HTML page, allowing a remote attacker to perform UI spoofing on the victim's browser. The primary impact is the display of deceptive graphics or interface elements that may mislead a user into interacting with content that appears legitimate. The weakness stems from insufficient validation of rendered UI elements. Based on the description, it is inferred that the attacker can craft a page that causes the browser to display a fake prompt or button, potentially encouraging the user to disclose sensitive information or unknowingly accept a malicious action.
Affected Systems
Google Chrome browsers running any version older than 150.0.7871.47 are affected. The issue resides only in the Paint component of desktop releases; newer versions have removed the vulnerable code paths and are not impacted.
Risk and Exploitability
Chromium assigns a Medium severity to this vulnerability, but no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is a remote web page that a user can visit, which then triggers the Paint module to render spoofed UI. Because there are no publicly known exploits and no KEV listing, the current likelihood of exploitation is low, though users of older Chrome versions remain at risk.
OpenCVE Enrichment