CVE-2025-9867: 
Google Chrome vulnerability analysis and mitigation

CVE-2025-9867 is a medium-severity vulnerability discovered in Google Chrome's Downloads component. The vulnerability was reported by Farras Givari on May 4, 2025, and was subsequently patched in Chrome version 140.0.7339.80. This security flaw affects Google Chrome on Android systems prior to the patched version (Chrome Release, NVD).

The vulnerability is characterized as an inappropriate implementation in the Downloads component that could allow a remote attacker to perform UI spoofing via a crafted HTML page. The issue has been assigned a CVSS 3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability has been classified under CWE-451 (User Interface (UI) Misrepresentation of Critical Information) (NVD).

The vulnerability enables attackers to perform UI spoofing attacks through specially crafted HTML pages, potentially leading to user interface manipulation and misrepresentation of critical information. This could result in users being misled about the nature or source of downloaded content (NVD).

Google has addressed this vulnerability in Chrome version 140.0.7339.80. Users are strongly advised to update their Chrome browsers to this version or later to protect against potential exploitation. The fix was included as part of a broader security update that addressed multiple vulnerabilities (Chrome Release).