Description
Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper implementation in SplitView on Linux allowed a crafted HTML page to cause the Omnibox (URL bar) to display spoofed contents through specific UI gestures. This UI spoofing could lead users to believe they were viewing a different webpage when they were not. The flaw involves user interface manipulation weaknesses.

Affected Systems

Google Chrome browsers on Linux systems with versions earlier than 150.0.7871.47 are affected. More recent releases contain a fixed implementation that prevents the malicious UI manipulation.

Risk and Exploitability

The vulnerability is rated low in Chromium’s security severity framework. It requires the user to open a crafted HTML page and perform specific UI gestures, which limits autonomous exploitation. No EPSS score is available and the issue is not listed in CISA KEV, indicating a modest short‑term threat. Safe browsing protections and standard user awareness remain effective mitigations until a patch is applied.

Generated by OpenCVE AI on July 1, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later.
  • Avoid interacting with unfamiliar web pages that request unusual UI gestures or prompt for additional input on the address bar.
  • If upgrading immediately is not possible, consider blocking or monitoring suspicious web content in the browser’s security settings.

Generated by OpenCVE AI on July 1, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title Chrome Omnibox Spoof via SplitView UI Gesture
Weaknesses CWE-200

Wed, 01 Jul 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:57:01.804Z

Reserved: 2026-06-29T23:11:27.543Z

Link: CVE-2026-14030

cve-icon Vulnrichment

Updated: 2026-07-01T01:52:31.123Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:15:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information