{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2320", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-02-10T21:51:45.968Z", "datePublished": "2026-02-11T18:08:04.930Z", "dateUpdated": "2026-02-12T15:11:25.872Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "145.0.7632.45", "status": "affected", "lessThan": "145.0.7632.45", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-11T18:08:04.930Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/435684924"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T15:10:53.201109Z", "id": "CVE-2026-2320", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:11:25.872Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T15:10:53.201109Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:09:03.011Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "145.0.7632.45", "lessThan": "145.0.7632.45", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/435684924"}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-11T18:08:04.930Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2320", "state": "PUBLISHED", "dateUpdated": "2026-02-12T15:11:25.872Z", "dateReserved": "2026-02-10T21:51:45.968Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-02-11T18:08:04.930Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "51821EAE-B89B-44D2-80B6-F868FC2B41B1", "versionEndExcluding": "145.0.7632.45", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-2320", "lastModified": "2026-02-13T14:52:29.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-11T19:15:52.160", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/435684924"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Inappropriate implementation in File input", "id": "2439062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439062"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-2320", "public_date": "2026-02-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2320\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2320\nhttps://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html\nhttps://issues.chromium.org/issues/435684924"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[145.0.7632.45,145.0.7632.45)"}}], "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-18T18:10:29.180586+00:00", "value": {"mitigation_remediation": ["Install Chrome version 145.0.7632.45 or newer on all devices to eliminate the insecure file\u2011input behavior.", "If an immediate upgrade is not possible, use enterprise policy or a browser extension to block or warn about suspicious file\u2011picker prompts, limiting the use of the file\u2011input element.", "Educate users about the risk of file\u2011picker prompts from unfamiliar sites and advise them to verify the authenticity of such prompts before proceeding."], "summary": {"action": "Patch", "impact": "UI Spoofing"}, "threat_synthesis": {"affected_systems": "Google Chrome versions older than 145.0.7632.45 are affected. The flaw resides in the browser\u2019s handling of file\u2011input elements, so any operating system that hosts Chrome\u2014Windows, macOS, Linux\u2014is at risk when out\u2011of\u2011date versions are installed.", "description_and_impact": "An inappropriate implementation of the file\u2011input element in Google Chrome allows a remote attacker who can persuade a user to perform specific UI gestures to perform UI spoofing via a specially crafted web page. Based on the description, it is inferred that the attacker must engage a user in simple clicking or selecting actions on the page. The attacker can hijack the user\u2019s attention and force the browser to display a misleading file\u2011picker or similar UI, potentially making the user believe they are interacting with a legitimate element while the attacker controls it. This flaw has a Medium severity rating in Chromium and does not provide arbitrary code execution; its primary impact is the circumvention of the user\u2019s intent, which could facilitate phishing or credential theft.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5 and an EPSS score of less than 1\u202f%, indicating a low likelihood of widespread exploitation at this time. The attack requires a social\u2011engineering scenario in which a user visits a malicious web page and performs simple UI gestures such as clicking a button. Based on the description, it is inferred that the attacker must rely on user interaction, and no high\u2011privilege or unconstrained remote code execution is possible. The vulnerability is not listed in the CISA KEV catalog, suggesting that large\u2011scale exploitation has not yet been observed."}}}}, "created": "2026-02-11T21:37:37.464443+00:00", "updated": "2026-04-18T18:15:06.605986+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}