Description
Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-02-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Spoofing
Action: Patch
AI Analysis

Impact

The vulnerability arises from an inappropriate implementation in the file input component of Google Chrome, allowing a remote attacker who persuades a user to perform specific UI gestures to execute UI spoofing via a crafted HTML page. The attacker can trick the user into interacting with UI elements that appear legitimate, potentially leading to phishing or social engineering attacks. The impact is concentrated on the user session, enabling manipulation of the user interface but does not by itself provide direct code execution or data exfiltration.

Affected Systems

Google Chrome versions earlier than 145.0.7632.45 on Windows, macOS, and Linux environments are affected. The vulnerability does not limit itself to a particular operating system, as the impacted component is cross‑platform.

Risk and Exploitability

The CVSS score is 5.4, indicating low severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. An attacker must rely on social engineering to convince a user to engage in specific UI gestures on a crafted web page. The exploit requires the user’s interaction and is thus considered user‑dependent, making it less likely to be automated but still viable in targeted phishing campaigns.

Generated by OpenCVE AI on April 17, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 145.0.7632.45 or later
  • Ensure Chrome’s automatic update feature is enabled so the browser receives future security patches automatically
  • Exercise caution when interacting with file input prompts on unfamiliar or suspicious websites

Generated by OpenCVE AI on April 17, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6135-1 chromium security update
History

Fri, 13 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 12 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Thu, 12 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in File input
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-02-12T14:05:40.432Z

Reserved: 2026-02-10T21:51:47.035Z

Link: CVE-2026-2322

cve-icon Vulnrichment

Updated: 2026-02-11T20:46:35.011Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T19:15:52.400

Modified: 2026-02-13T14:51:37.260

Link: CVE-2026-2322

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-10T00:00:00Z

Links: CVE-2026-2322 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses