Description
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Omnibox content spoofing for phishing
Action: Immediate Patch
AI Analysis

Impact

A flaw in Google Chrome prevents sufficient policy enforcement in the browser UI, enabling a remote attacker who has already compromised the renderer process to serve a crafted HTML page that can overwrite the displayed address in the Omnibox. The effect is that users see a forged URL that does not match the actual site they are interacting with, which can be leveraged for phishing or social engineering. The vulnerability carries a Medium severity assigned by Chromium security, indicative of the potential for user deception but not of direct system compromise.

Affected Systems

All machines running the stable channel of Google Chrome with a version earlier than 147.0.7727.55 are affected. The weakness does not depend on operating system, extensions, or user settings; any installation of Chrome that allows the renderer process to be hijacked can be used to deliver the malicious page.

Risk and Exploitability

The flaw has a Medium CVSS score and no EPSS data is available, suggesting no evidence of widespread exploitation yet. Because the attacker must first achieve renderer‑process compromise—typically via a separate vulnerability or malicious content delivery—an adversary would need to bypass one protective layer first. Once that is achieved, the Omnibox can be spoofed to mislead the user, but this does not grant direct payload execution or system access. The risk is therefore limited to user deception unless combined with other exploits.

Generated by OpenCVE AI on April 8, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 147.0.7727.55 or later
  • Ensure automatic updates for the stable channel are enabled
  • Verify that the Omnibox displays the correct URL for trusted sites

Generated by OpenCVE AI on April 8, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Omnibox Spoofing via Compromised Renderer chromium-browser: Incorrect security UI in browser UI
Weaknesses CWE-290
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Omnibox Spoofing via Compromised Renderer
First Time appeared Google
Google chrome
Weaknesses CWE-200
CWE-79
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:49.126Z

Reserved: 2026-04-08T19:34:37.513Z

Link: CVE-2026-5880

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:27.650

Modified: 2026-04-08T22:16:27.650

Link: CVE-2026-5880

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5880 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:46Z

Weaknesses