Description
Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper implementation of the Views component in Google Chrome on iOS allows a remote attacker who has already compromised the renderer process to craft a malicious HTML page that mimics legitimate UI elements. This enables the attacker to deceive users by presenting counterfeit dialog boxes or input fields. The vulnerability is classified as Medium severity by Chromium and does not provide remote code execution, data exfiltration, or other gains unless the attacker has already gained renderer process control.

Affected Systems

The flaw affects all installations of Google Chrome for iOS running versions earlier than 148.0.7778.168. Chrome 148.0.7778.168 and later contain the fix, so any same‑from‑Google flagship release on the iOS platform is protected once upgraded to that or newer versions.

Risk and Exploitability

The CVSS score is 4.2, and no EPSS score is available, indicating that the exploitation probability is unknown. The issue is not listed in the CISA KEV catalog. Exploitation requires that the attacker already has access to the renderer process—such as via a local device compromise, a malicious extension, or a vulnerability that grants process control—after which they can serve a specially crafted webpage or embed malicious content in an otherwise legitimate site. Because the renderer runs locally, the primary attack vector is local to the device, but a malicious actor who controls the device could also publish a phishing link that forces Chrome to load the deceptive page.

Generated by OpenCVE AI on May 15, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome for iOS to version 148.0.7778.168 or later
  • Disable or uninstall any third‑party extensions that alter UI elements or inject scripts
  • Check for and install future Chrome updates from the App Store to ensure continued protection

Generated by OpenCVE AI on May 15, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 01:30:00 +0000

Type Values Removed Values Added
Title Inappropriate Views Implementation Enables UI Spoofing on iOS
Weaknesses CWE-1031
CWE-639

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Inappropriate Views Implementation Enables UI Spoofing on iOS
Weaknesses CWE-1031
CWE-451
CWE-639
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:20:57.642Z

Reserved: 2026-05-14T05:40:27.782Z

Link: CVE-2026-8584

cve-icon Vulnrichment

Updated: 2026-05-14T21:20:45.998Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:20.797

Modified: 2026-05-14T22:16:51.530

Link: CVE-2026-8584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T02:30:34Z

Weaknesses