CVE-2026-14153
Chromium Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-14153 is a UI spoofing vulnerability caused by an inappropriate implementation in the Glic component of Google Chrome. It affects all versions of Google Chrome prior to 150.0.7871.47 on Windows, Mac, and Linux. A remote attacker who convinces a user to perform specific UI gestures can exploit a crafted HTML page to spoof the browser's user interface. The vulnerability was disclosed on June 30, 2026, and carries a CVSS v3.1 base score of 5.3 (Medium), with a Chromium-assigned severity of Low (GitHub Advisory, Chrome Releases).

Détails techniques

The root cause is classified as CWE-451 (User Interface Misrepresentation of Critical Information), meaning the Glic component in Chrome fails to properly represent critical UI information to the user, enabling spoofing of dialogs or content. Exploitation requires the attacker to serve a crafted HTML page and socially engineer the victim into performing specific UI gestures (e.g., clicks or interactions), after which the malicious page can render spoofed UI elements that mimic legitimate Chrome interfaces. The attack vector is network-based, requires no privileges, but does require user interaction and has high attack complexity, limiting opportunistic exploitation (GitHub Advisory).

Impact

Successful exploitation allows an unauthenticated remote attacker to deceive users by displaying spoofed UI elements — such as fake dialogs, permission prompts, or content origin indicators — that do not reflect the true state or source of browser content. The primary impact is to confidentiality (rated High in CVSS), as users may be tricked into disclosing sensitive information or granting permissions based on falsified UI. There is no direct integrity or availability impact, and the vulnerability's scope is unchanged, limiting blast radius to the affected browser session (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify targets using Google Chrome versions prior to 150.0.7871.47 on Windows, Mac, or Linux.
  2. Craft malicious HTML page: Develop a webpage that abuses the Glic component's inappropriate UI implementation to render spoofed interface elements (e.g., fake permission dialogs or security indicators).
  3. Social engineering: Lure the target user to visit the crafted page and convince them to perform specific UI gestures (e.g., clicking a button or interacting with a UI element) that trigger the spoofing behavior.
  4. UI spoofing execution: Upon the required user interaction, the crafted page causes Chrome to display misleading UI elements, potentially impersonating legitimate browser dialogs or content origin indicators.
  5. Objective achieved: The deceived user may grant unintended permissions, disclose sensitive information, or take actions based on the falsified UI (Chrome Releases, GitHub Advisory).

Atténuation et solutions de contournement

Google has released a patch in Chrome version 150.0.7871.47 (Windows/Mac) and 150.0.7871.46 (Linux), which is part of the Chrome 151 stable channel promotion announced June 30, 2026. Users and administrators should update Google Chrome to version 150.0.7871.47 or later immediately. As a general precaution, users should be cautious when visiting untrusted websites and remain alert to UI elements that appear inconsistent with Chrome's standard appearance (Chrome Releases).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Chromium Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-14156NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14155NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14154NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14153NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14152NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités