
PEACH
Un cadre d’isolation des locataires
CVE-2026-14154 is a UI spoofing vulnerability caused by an inappropriate implementation in DevTools in Google Chrome. It affects all versions of Google Chrome prior to 150.0.7871.47 on Windows, Mac, and Linux. An attacker who convinces a user to install a malicious Chrome extension can exploit this flaw to perform UI spoofing via a crafted extension. The vulnerability was published on June 30, 2026, and patched in Chrome 150.0.7871.47, released as part of a large stable channel update. It carries a CVSS v3.1 base score of 4.8 (Medium) and is rated Low severity by the Chromium security team (GitHub Advisory, Chrome Releases).
The root cause is classified as CWE-451 (User Interface Misrepresentation of Critical Information), where Chrome's DevTools component does not properly represent or validate information rendered through a crafted extension, allowing the UI to be spoofed. The attack vector is network-based with high attack complexity, requiring no privileges but necessitating that the attacker first socially engineer the victim into installing a malicious Chrome extension. Once the extension is installed, it can manipulate DevTools rendering to present misleading UI elements to the user. The Chromium issue tracker entry is referenced at https://issues.chromium.org/issues/517741170, though access may be restricted pending broad user updates (GitHub Advisory, Chrome Releases).
Successful exploitation allows an attacker to spoof the browser's DevTools UI, potentially deceiving users into taking unintended actions — such as believing they are interacting with a legitimate browser interface when they are not. The integrity and availability impacts are both rated Low, with no confidentiality impact, meaning the vulnerability does not directly expose sensitive data but could facilitate further social engineering or phishing attacks. The scope is unchanged, limiting the impact to the Chrome browser process itself without direct lateral movement capability (GitHub Advisory).
devtools, debugger API access) in chrome://extensions/.%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\ on Windows or ~/.config/google-chrome/Default/Extensions/ on Linux) containing extensions not installed from the Chrome Web Store.--load-extension flag usage).Update Google Chrome to version 150.0.7871.47 or later, which was released on June 30, 2026, as part of the stable channel update (Chrome Releases). Organizations managing Chrome deployments should enforce extension allowlisting via Chrome Enterprise policies to prevent installation of unauthorized extensions. Users should be advised to install extensions only from the official Chrome Web Store and from trusted publishers. No additional workarounds beyond patching have been specified by Google.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."