Description
Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: UI Spoofing
Action: Patch Urgently
AI Analysis

Impact

An incorrect behavior in the Downloads security user interface of Google Chrome prior to version 147.0.7727.55 lets a remote attacker craft a web page that, when a user interacts with specific UI gestures, causes the browser to display misleading UI elements. This UI spoofing can trick users into accepting malicious downloads or following unsafe links. No direct code execution or data loss occurs, but the social engineering required can lead to user compromise or accidental download of malware.

Affected Systems

The flaw affects all installations of the stable channel of Google Chrome that have not yet been updated to 147.0.7727.55 or later. This includes every platform supported by Chrome (Windows, macOS, Linux, Android, iOS) because the issue resides in the core download UI logic.

Risk and Exploitability

Chromium lists the issue as low severity. No public evidence of exploitation exists and the EPSS score is not available. An attacker would need to lure a user to a malicious web page and persuade the user to perform specific UI gestures, so the attack requires user interaction and social engineering. While the risk is moderate due to the low severity, the potential for phishing or malware delivery warrants prompt mitigation.

Generated by OpenCVE AI on April 8, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or newer.
  • If an upgrade cannot be performed immediately, configure the browser or policy to block or require confirmation for all downloads.
  • Avoid visiting untrusted websites and be cautious of download prompts.

Generated by OpenCVE AI on April 8, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Incorrect Downloads Security UI in Google Chrome Enables UI Spoofing
First Time appeared Google
Google chrome
Weaknesses CWE-847
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:57.861Z

Reserved: 2026-04-08T19:34:42.284Z

Link: CVE-2026-5897

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:29.597

Modified: 2026-04-08T22:16:29.597

Link: CVE-2026-5897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:21Z

Weaknesses