{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0907", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-01-13T18:20:18.301Z", "datePublished": "2026-01-20T04:14:17.460Z", "dateUpdated": "2026-01-20T14:37:38.272Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "144.0.7559.59", "status": "affected", "lessThan": "144.0.7559.59", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-20T04:14:17.460Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"url": "https://issues.chromium.org/issues/444653104"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T14:35:38.083608Z", "id": "CVE-2026-0907", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:37:38.272Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0907", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T14:35:38.083608Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:37:26.728Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "144.0.7559.59", "lessThan": "144.0.7559.59", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"url": "https://issues.chromium.org/issues/444653104"}], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-20T04:14:17.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0907", "state": "PUBLISHED", "dateUpdated": "2026-01-20T14:37:38.272Z", "dateReserved": "2026-01-13T18:20:18.301Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-01-20T04:14:17.460Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "7322229C-61DF-4A91-9816-F7796F9AABCD", "versionEndExcluding": "144.0.7559.59", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "258B923C-054B-4411-9E82-36C89A6BE4C4", "versionEndExcluding": "144.0.7559.60", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-0907", "lastModified": "2026-01-29T20:27:46.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-20T05:16:16.217", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/444653104"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Incorrect security UI in Split View", "id": "2431122", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431122"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-0907", "public_date": "2026-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0907\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0907\nhttps://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html\nhttps://issues.chromium.org/issues/444653104"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T04:48:49.299862+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 144.0.7559.59 or newer using the browser\u2019s automatic update mechanism or by downloading the latest stable release from Google\u2019s site.", "If enterprise policy allows, disable or restrict the Split View feature, which removes the UI context that allows the attack surface to be exploited.", "Ensure that any extensions or third\u2011party software that modify Chrome\u2019s UI are updated or disabled, as these can interfere with security indicators and may amplify the spoofing effect."], "summary": {"action": "Immediate Patch", "impact": "UI Spoofing via Crafted HTML"}, "threat_synthesis": {"affected_systems": "All desktop installations of Google Chrome running a version earlier than 144.0.7559.59 on Windows, macOS, or Linux are affected. The issue is tied to the stable channel and applies to users who have not updated Chrome after the January\u202f2026 release cycle.", "description_and_impact": "The vulnerability is found in Google Chrome\u2019s Split View UI where security indicators are rendered incorrectly. A remote attacker can deliver a crafted HTML page that, when opened in a Chrome instance before version 144.0.7559.59, causes the browser to display a spoofed security badge or icon that misleads the user into believing the site is protected. This deception facilitates phishing or credential theft by tricking users into submitting sensitive information. The flaw originates from insufficient validation of UI elements within Split View and is classified as CWE\u2011451.", "risk_and_exploitability": "The CVSS score of 9.8 designates this bug as critical; however, the current EPSS score is less than 1\u202f%, indicating a low probability of exploitation at this time. It is not listed in the CISA KEV catalog, so no widespread public exploitation is documented. Nevertheless, the attack vector is a malicious web page loaded in the browser, which is trivial for an attacker to craft and distribute over the internet, making the vulnerability highly actionable for anyone who can serve such a page to a user."}}}}, "created": "2026-01-20T08:40:08.016037+00:00", "updated": "2026-04-18T05:00:06.026848+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}