Description
Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the SSL input validation in Google Chrome before version 148.0.7778.96 allows a remote attacker, once the renderer process is compromised, to craft HTML that can deceive users into accepting forged content. The weakness originates from insufficient checks on untrusted input delivered over SSL (CWE‑20) and also represents an improper handling of SSL data (CWE‑807). Because the vulnerability can mislead users into interacting with malicious content, it presents a significant threat to user trust and data integrity within the browser.

Affected Systems

The affected product is Google Chrome. All releases of Chrome prior to 148.0.7778.96 are vulnerable. Users running any of those versions should consider updating promptly.

Risk and Exploitability

The CVSS score is 4.2; the official severity is listed as Low. The EPSS score indicates a very low exploitation probability (<1%) and the vulnerability is not in the CISA KEV catalog. The exploitation path requires a remote attacker to first compromise the renderer process, which limits immediate risk but remains a concern for environments where such compromise is feasible. Because no public exploits are known, the likelihood of attack is considered low; however, upgrading mitigates all known risk.

Generated by OpenCVE AI on May 9, 2026 at 04:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.96 or later
  • Avoid using extensions that modify SSL behavior or page rendering unless vetted
  • Remain vigilant for unexpected SSL warnings or mismatched page titles that may indicate spoofing attempts

Generated by OpenCVE AI on May 9, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in SSL
Weaknesses CWE-807
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing from SSL Input Validation Flaw

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing from SSL Input Validation Flaw

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:49:29.931Z

Reserved: 2026-05-05T22:59:30.659Z

Link: CVE-2026-7996

cve-icon Vulnrichment

Updated: 2026-05-06T21:29:25.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:50.477

Modified: 2026-05-06T23:18:54.167

Link: CVE-2026-7996

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-7996 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:45:26Z

Weaknesses