Description
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an inappropriate implementation in the Media component of Google Chrome that permits a remote attacker to craft an HTML page that performs UI spoofing. This flaw can mislead users into believing they are interacting with a legitimate interface when the page interface has been altered by the attacker. The official Chromium severity is low, indicating no confirmed code execution or direct data theft, but the deception could facilitate credential phishing or other social‑engineering attacks.

Affected Systems

The issue affects all Google Chrome editions that run a version prior to 148.0.7778.96. Users of earlier stable channel releases are vulnerable; no other products or vendors are listed as affected.

Risk and Exploitability

A CVSS score of 5.4 indicates moderate risk and the EPSS score of <1% indicates a very low exploitation probability, while the vulnerability is not listed in CISA’s KEV catalog, indicating that active exploitation has not been observed. The likely attack vector is a crafted HTML page served to the user, requiring the user to visit the page. Because the flaw only enables UI spoofing and does not grant code execution, the risk is moderate but could be amplified if combined with phishing techniques.

Generated by OpenCVE AI on May 9, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 148.0.7778.96 or later to remove the vulnerable UI spoofing implementation.
  • Configure Chrome or network security controls to enforce strict validation of redirects and forwards, ensuring that any navigation or dynamic UI changes originate from trusted sources, following the guidelines for CWE‑451.
  • If an immediate update is not possible, apply web‑filtering or firewall policies that block or inspect content from untrusted domains to reduce exposure to crafted pages that could trigger UI spoofing.

Generated by OpenCVE AI on May 9, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Chrome Media Component UI Spoofing Vulnerability chromium-browser: Inappropriate implementation in Media
Weaknesses CWE-1021
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 05:00:00 +0000

Type Values Removed Values Added
Title Chrome Media Component UI Spoofing Vulnerability

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing via Inadequate Media Handling
Weaknesses CWE-79

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing via Inadequate Media Handling
Weaknesses CWE-79

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:15.542Z

Reserved: 2026-05-05T22:59:35.538Z

Link: CVE-2026-8015

cve-icon Vulnrichment

Updated: 2026-05-06T20:56:24.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:52.450

Modified: 2026-05-07T15:30:17.050

Link: CVE-2026-8015

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-8015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:15:06Z

Weaknesses