Description
Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Spoofing
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is caused by an incorrect implementation of the security UI for downloads in Google Chrome on Android devices before version 146.0.7680.71. A remote attacker can craft a malicious HTML page that, when visited by a user, triggers the Chrome Downloads UI with misleading information, allowing the attacker to spoof the download dialog. As a result, users may be forced to download or interact with unwanted or malicious content. This flaw exploits the weakness categorized as CWE-451.

Affected Systems

The issue affects Google Chrome for Android prior to version 146.0.7680.71 (see cpe entries for google:chrome on Android). The problem is specific to Android; other platforms such as macOS, Linux, and Windows are not impacted according to the provided CPE list.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, while the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating low exploitation activity. The attack vector is remote, requiring the victim to open a crafted HTML page in Chrome on Android. Because it is a UI spoofing flaw, an attacker cannot directly achieve code execution but can potentially lure a user into downloading malicious content, leading to indirect compromise.

Generated by OpenCVE AI on March 17, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on Android to version 146.0.7680.71 or newer
  • Avoid clicking on unfamiliar download prompts from unknown sites
  • Keep Chrome updated by enabling automatic updates or regularly checking the Chrome release notes

Generated by OpenCVE AI on March 17, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Incorrect Download Security UI in Google Chrome Android

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-14T03:08:23.246Z

Reserved: 2026-03-11T05:54:14.678Z

Link: CVE-2026-3937

cve-icon Vulnrichment

Updated: 2026-03-14T03:08:11.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:36.380

Modified: 2026-03-16T18:12:19.577

Link: CVE-2026-3937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:43Z

Weaknesses