Description
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Spoofing
Action: Update
AI Analysis

Impact

Insufficient policy enforcement in the Chrome browser UI allows an attacker who has compromised the renderer process to craft an HTML page that displays fake UI elements, creating the illusion of legitimate content. The weakness, identified as UI spoofing, can mislead users into interacting with malicious input or revealing sensitive information. This attack primarily affects the integrity of the browsing experience and can undermine user trust without compromising system confidentiality.

Affected Systems

Chrome versions released before 147.0.7727.55 on all supported operating systems, including Windows, macOS, and Linux. Users of these versions are at risk regardless of platform.

Risk and Exploitability

The CVSS score of 4.3 classifies the vulnerability as Medium, yet the EPSS score of less than 1% implies a low probability of exploitation. It is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to compromise or control the renderer process, which typically occurs when the user visits a malicious or compromised webpage or installs a malicious extension. Once the renderer is compromised, the attacker can perform UI spoofing without additional privileges or network access.

Generated by OpenCVE AI on April 14, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (147.0.7727.55 or newer).
  • If unable to update immediately, consider disabling or restricting the renderer process through enterprise policies or disabling extensions that could facilitate renderer compromise.

Generated by OpenCVE AI on April 14, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1036
CWE-264

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient UI Policy Enforcement Enables Renderer-Based Spoofing in Chrome chromium-browser: Insufficient policy enforcement in browser UI
Weaknesses CWE-1021
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Insufficient UI Policy Enforcement Enables Renderer-Based Spoofing in Chrome
First Time appeared Google
Google chrome
Weaknesses CWE-1036
CWE-264
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T20:15:22.618Z

Reserved: 2026-04-08T19:34:40.426Z

Link: CVE-2026-5891

cve-icon Vulnrichment

Updated: 2026-04-13T20:14:49.047Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:28.990

Modified: 2026-04-14T11:44:52.557

Link: CVE-2026-5891

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5891 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:38Z

Weaknesses