Description
Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a lack of proper validation for untrusted input in the Dialog component of Google Chrome. An attacker who has already compromised the renderer process can serve a crafted HTML page that causes the browser to display fake interface elements, potentially tricking a user into interacting with malicious content. The flaw allows only UI spoofing; it does not provide direct code execution or data exfiltration capabilities beyond the deceptive user experience. The root cause is an input validation defect identified as CWE‑20 and CWE‑79.

Affected Systems

Google Chrome installation (any version prior to 148.0.7778.96). The issue exists in the stable channel of the browser and is fixed in the release 148.0.7778.96 and newer.

Risk and Exploitability

The CVSS score of 5.4 indicates a Low severity assessment, reflecting the limited nature of the impact. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already have control over the renderer process, which is a significant prerequisite. Because of the limited scope and lack of publicly known exploits, the risk is currently low, yet the UI deception can still facilitate phishing or other social engineering attacks.

Generated by OpenCVE AI on May 9, 2026 at 04:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Google Chrome version 148.0.7778.96 or later to mitigate the UI spoofing flaw
  • Ensure that Chrome’s automatic update feature is enabled so future security fixes are applied promptly
  • Review application environments for any indication of compromised renderer processes and remediate those vulnerabilities to prevent initial foothold

Generated by OpenCVE AI on May 9, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Chrome Dialog UI Spoofing Vulnerability chromium-browser: Insufficient validation of untrusted input in Dialog
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Chrome Dialog UI Spoofing Vulnerability

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Dialog UI Spoofing in Google Chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Dialog UI Spoofing in Google Chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:49:11.002Z

Reserved: 2026-05-05T22:59:31.193Z

Link: CVE-2026-7998

cve-icon Vulnrichment

Updated: 2026-05-06T21:25:20.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:50.720

Modified: 2026-05-07T13:40:01.117

Link: CVE-2026-7998

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-7998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:45:26Z

Weaknesses