CVE-2026-8564 - Vulnerability Details

- chromium-browser: chromium-browser: Incorrect security UI in Downloads

Description

Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-05-14

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Chrome’s Downloads UI displayed an incorrect security prompt when a user visited a specially crafted HTML page, allowing the attacker to spoof the download security dialog. This flaw enables unauthenticated remote users to perform UI spoofing. Based on the description, it is inferred that the vulnerability can be triggered by delivering a malicious HTML page that the user opens in the browser.

Affected Systems

The issue affects Google Chrome for Android and Mac OS versions earlier than 148.0.7778.168. Any system hosting these older Chrome binaries is susceptible until an updated version is installed.

Risk and Exploitability

Chromium rates the severity of this flaw as medium with a CVSS score of 4.2. The EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog. Thus, the likelihood of exploitation is low, but an attacker who successfully lures a user to crafted content could trick the user into accepting malicious files, compromising the integrity of the download process and potentially enabling malware infection.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.168`	affected	< 148.0.7778.168

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.168,148.0.7778.168)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 148.0.7778.168 or later, which resolves the incorrect security UI.
Enable Chrome’s Safe Browsing and download guard features to provide additional protection against malicious downloads.
If an update cannot be applied immediately, enforce stricter download confirmation settings and restrict downloads from untrusted sites via enterprise policy.

Generated by OpenCVE AI on May 15, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6273-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html
https://issues.chromium.org/issues/418273622
https://nvd.nist.gov/vuln/detail/CVE-2026-8564
https://www.cve.org/CVERecord?id=CVE-2026-8564

History

Fri, 15 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Incorrect Security Prompt – UI Spoofing in Chrome Downloads	chromium-browser: chromium-browser: Incorrect security UI in Downloads
Weaknesses		CWE-1021
References		https://nvd.nist.gov/vuln/detail/CVE-2026-8564 https://www.cve.org/CVERecord?id=CVE-2026-8564
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 15 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
Title		Incorrect Security Prompt – UI Spoofing in Chrome Downloads

Fri, 15 May 2026 00:30:00 +0000

Type	Values Removed	Values Added
Title	UI Spoofing in Chrome Downloads via Crafted HTML
Weaknesses	CWE-79

Thu, 14 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 14 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Title		UI Spoofing in Chrome Downloads via Crafted HTML
Weaknesses		CWE-79

Thu, 14 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html https://issues.chromium.org/issues/418273622

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-14T19:52:30.875Z

Updated: 2026-05-14T21:25:29.731Z

Reserved: 2026-05-14T05:40:23.126Z

Link: CVE-2026-8564

Vulnrichment

Updated: 2026-05-14T21:25:24.754Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:18.550

Modified: 2026-05-14T22:16:49.850

Link: CVE-2026-8564

Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:30Z

Links: CVE-2026-8564 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T15:15:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object