CVE-2026-2316 - Vulnerability Details

- chromium-browser: Insufficient policy enforcement in Frames

Description

Insufficient policy enforcement in Frames in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-02-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Insufficient policy enforcement in Chrome’s Frames component allowed a remote attacker to craft a web page that could deceive users by displaying malicious content within frames. The flaw opens a channel for UI spoofing attacks, enabling attackers to mimic legitimate interfaces and potentially influence user interactions or harvest credentials. The weakness is identified as CWE‑451: Failure to Compensate for a Lack of Security Requiring Protection.

Affected Systems

All installations of Google Chrome before version 145.0.7632.45 across supported operating systems – Windows, macOS, Linux – are affected. No specific operating‑system variations are noted; any Chrome build prior to the specified patch is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating medium severity. Its EPSS score is less than 1 %, suggesting very low current exploitation probability, and it is not listed in the CISA KEV catalog. Attackers would need to deliver a deliberately crafted HTML page to a victim’s browser, either by hosting a malicious site or through compromised content, to exploit the flaw. No advanced persistence or privilege escalation is required beyond the UI deception objective.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`145.0.7632.45`	affected	< 145.0.7632.45

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

—

Version	Status	Scheme	Platform
`145.0.7632.45`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Chrome to version 145.0.7632.45 or later
Configure Chrome enterprise policies to restrict the use of frames if possible
Monitor for anomalous frame behavior and remediate suspicious web content promptly

Generated by OpenCVE AI on April 17, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6135-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html
https://issues.chromium.org/issues/422531206
https://nvd.nist.gov/vuln/detail/CVE-2026-2316
https://www.cve.org/CVERecord?id=CVE-2026-2316

History

Fri, 13 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Thu, 12 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Thu, 12 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Insufficient policy enforcement in Frames
References		https://nvd.nist.gov/vuln/detail/CVE-2026-2316 https://www.cve.org/CVERecord?id=CVE-2026-2316
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

Wed, 11 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 11 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Insufficient policy enforcement in Frames in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References		https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html https://issues.chromium.org/issues/422531206

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-02-11T18:08:02.851Z

Updated: 2026-02-12T15:36:00.353Z

Reserved: 2026-02-10T21:51:43.728Z

Link: CVE-2026-2316

Vulnrichment

Updated: 2026-02-12T15:35:54.249Z

NVD

Status : Analyzed

Published: 2026-02-11T19:15:51.717

Modified: 2026-02-13T17:28:37.780

Link: CVE-2026-2316

Redhat

Severity : Moderate

Publid Date: 2026-02-10T00:00:00Z

Links: CVE-2026-2316 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses

CWE-451

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object