An incorrectly implemented security UI in the omnibox of Google Chrome on iOS allows a remote attacker to manipulate the user interface through a specially crafted web page. This flaw can cause users to see a false or misleading security indicator, leading them to believe that a page is secure when it is not. The vulnerability originates from the flawed presentation layer rather than a flaw in underlying security functions, which is why the Chromium Security team classifies it as low severity.

Google Chrome on iOS versions prior to 147.0.7727.55 are affected. The issue exists in the omnibox component, which is the combined address and search bar that appears on the browser's home screen. All iOS devices running versions of Chrome below the mentioned update are vulnerable until they receive the official patch.

The attack vector is likely remote, requiring the user to visit a malicious web page that contains the crafted content. Although the CVSS score is not provided, the vulnerability is considered low risk by Chromium. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation. Nevertheless, an attacker could use this UI deception to phish credentials or user behavior, so remediation is advised.