CVE-2026-14154
Chromium Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-14154 is a UI spoofing vulnerability caused by an inappropriate implementation in DevTools in Google Chrome. It affects all versions of Google Chrome prior to 150.0.7871.47 on Windows, Mac, and Linux. An attacker who convinces a user to install a malicious Chrome extension can exploit this flaw to perform UI spoofing via a crafted extension. The vulnerability was published on June 30, 2026, and patched in Chrome 150.0.7871.47, released as part of a large stable channel update. It carries a CVSS v3.1 base score of 4.8 (Medium) and is rated Low severity by the Chromium security team (GitHub Advisory, Chrome Releases).

Détails techniques

The root cause is classified as CWE-451 (User Interface Misrepresentation of Critical Information), where Chrome's DevTools component does not properly represent or validate information rendered through a crafted extension, allowing the UI to be spoofed. The attack vector is network-based with high attack complexity, requiring no privileges but necessitating that the attacker first socially engineer the victim into installing a malicious Chrome extension. Once the extension is installed, it can manipulate DevTools rendering to present misleading UI elements to the user. The Chromium issue tracker entry is referenced at https://issues.chromium.org/issues/517741170, though access may be restricted pending broad user updates (GitHub Advisory, Chrome Releases).

Impact

Successful exploitation allows an attacker to spoof the browser's DevTools UI, potentially deceiving users into taking unintended actions — such as believing they are interacting with a legitimate browser interface when they are not. The integrity and availability impacts are both rated Low, with no confidentiality impact, meaning the vulnerability does not directly expose sensitive data but could facilitate further social engineering or phishing attacks. The scope is unchanged, limiting the impact to the Chrome browser process itself without direct lateral movement capability (GitHub Advisory).

Étapes d’exploitation

  1. Craft a malicious Chrome extension: Develop a Chrome extension that abuses DevTools APIs or UI rendering to display spoofed interface elements to the user.
  2. Social engineering: Convince the target user to install the malicious extension, for example by distributing it via a phishing page, sideloading it, or disguising it as a legitimate tool.
  3. Trigger DevTools interaction: Once installed, the extension manipulates the DevTools UI to present misleading or spoofed information — such as fake security indicators, false page origins, or deceptive prompts.
  4. Deceive the user: The spoofed UI causes the victim to take unintended actions, such as entering credentials, approving permissions, or trusting a malicious page, believing the interface is legitimate (GitHub Advisory, Chrome Releases).

Indicateurs de compromis

  • Browser Extensions: Presence of unknown or unrecognized Chrome extensions with DevTools permissions (devtools, debugger API access) in chrome://extensions/.
  • File System: Unexpected extension directories in the Chrome user profile path (e.g., %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\ on Windows or ~/.config/google-chrome/Default/Extensions/ on Linux) containing extensions not installed from the Chrome Web Store.
  • Logs: Chrome policy or enterprise management logs showing extension installations from non-Web Store sources or via sideloading (--load-extension flag usage).
  • Network: Outbound connections from the Chrome process to unusual or unknown domains shortly after extension installation, potentially indicating C2 communication by a malicious extension.

Atténuation et solutions de contournement

Update Google Chrome to version 150.0.7871.47 or later, which was released on June 30, 2026, as part of the stable channel update (Chrome Releases). Organizations managing Chrome deployments should enforce extension allowlisting via Chrome Enterprise policies to prevent installation of unauthorized extensions. Users should be advised to install extensions only from the official Chrome Web Store and from trusted publishers. No additional workarounds beyond patching have been specified by Google.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Chromium Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-14156NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14155NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14154NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14153NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026
CVE-2026-14152NONEN/A
  • Chromium logoChromium
  • chromium
NonNonJun 30, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités