Description
Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a lack of proper validation for untrusted input in the Dialog component of Google Chrome. An attacker who has already compromised the renderer process can serve a crafted HTML page that causes the browser to display fake interface elements, potentially tricking a user into interacting with malicious content. The flaw allows only UI spoofing; it does not provide direct code execution or data exfiltration capabilities beyond the deceptive user experience.

Affected Systems

Google Chrome installation (any version prior to 148.0.7778.96). The issue exists in the stable channel of the browser and is fixed in the release 148.0.7778.96 and newer.

Risk and Exploitability

The CVSS score of 5.4 indicates a Low severity assessment, reflecting the limited nature of the impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already have control over the renderer process, which is a significant prerequisite. Because of the limited scope and lack of publicly known exploits, the risk is currently low, yet the UI deception can still facilitate phishing or other social engineering attacks.

Generated by OpenCVE AI on May 7, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Google Chrome version 148.0.7778.96 or later to mitigate the UI spoofing flaw
  • Ensure that Chrome’s automatic update feature is enabled so future security fixes are applied promptly
  • Review application environments for any indication of compromised renderer processes and remediate those vulnerabilities to prevent initial foothold

Generated by OpenCVE AI on May 7, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Dialog UI Spoofing in Google Chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Dialog UI Spoofing in Google Chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:49:11.002Z

Reserved: 2026-05-05T22:59:31.193Z

Link: CVE-2026-7998

cve-icon Vulnrichment

Updated: 2026-05-06T21:25:20.444Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:50.720

Modified: 2026-05-06T22:16:43.530

Link: CVE-2026-7998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:00:14Z

Weaknesses