CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-0907

CVSS 9.8v3.1pub. 2026-01-20upd. 2026-01-29

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

🤖 AI Analysis
How it works

Incorrect implementation of the security interface (Incorrect security UI) in the Split View component allows an attacker to display a false interface to the user using a specially crafted HTML page. This mechanism is consistent with CWE-451 class, which indicates misleading the user about the visual representation of content or security context. The attack requires no authentication, and user interaction is limited to visiting the crafted page.

Impact

An attacker can effectively spoof browser user interface elements, which may lead to credential theft or convincing the user to perform unwanted actions through false visual indicators.

Mitigation & patch

Update Google Chrome to version 144.0.7559.59 or later. The update is available through the browser's built-in update mechanism or on the vendor's website according to references (chromereleases.googleblog.com).

Who is affected

Google Chrome versions prior to 144.0.7559.59 on Windows, Linux, and macOS platforms.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    wszystkie wersje
  • Google Chrome

    APP
    Google
    < 144.0.7559.59< 144.0.7559.60
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach