Description
Insufficient policy enforcement in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI spoofing via malicious Chrome extension
Action: Update Browser
AI Analysis

Impact

This vulnerability arises from insufficient enforcement of policy for extensions in Chrome, allowing a malicious extension installed by a user to craft deceptive UI that can trick the user into entering credentials or other sensitive information. The weakness, classified as CWE‑451, lets an attacker bypass intended policy restrictions for extensions and manipulate the user interface trust boundary.

Affected Systems

The flaw affects Google Chrome on all supported operating systems – Windows, macOS, and Linux – for versions earlier than 146.0.7680.71. The Chrome 146.0.7680.71 release in March 2026 addresses the issue.

Risk and Exploitability

CVSS score 4.3 places the vulnerability in the Medium range, indicating a moderate risk to users. The EPSS score of less than 1 % suggests that exploitation is somewhat unlikely to occur widely, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit this issue only after persuading a user to install a malicious extension; once installed, the extension can forge UI elements to deceive the user into entering sensitive data.

Generated by OpenCVE AI on April 17, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 146.0.7680.71 or later, which contains the policy enforcement fix.
  • Remove or disable any installed extensions that have not been verified by the Chrome Web Store, especially those that request UI modification privileges.
  • Configure enterprise or user policies to block installation of unsanctioned extensions and to restrict extensions that can modify the UI, ensuring that policy enforcement is applied consistently.

Generated by OpenCVE AI on April 17, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sat, 14 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in Extensions
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-14T02:53:42.785Z

Reserved: 2026-03-11T05:54:12.058Z

Link: CVE-2026-3928

cve-icon Vulnrichment

Updated: 2026-03-14T02:53:19.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:35.453

Modified: 2026-03-17T13:10:14.240

Link: CVE-2026-3928

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3928 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses