A critical vulnerability, identified as CVE-2026-0907, has been discovered in Google Chrome, carrying a CVSS score of 9.8. This flaw allows a remote attacker to spoof the browser's user interface, potentially tricking users into believing they are interacting with a legitimate website when they are on a malicious one. Successful exploitation could lead to credential theft, financial fraud, or the installation of malware.

The vulnerability exists due to an incorrect implementation of the security user interface (UI) within Chrome's Split View feature. A remote attacker can create a specially crafted HTML page that, when visited by a victim, manipulates the browser's UI elements like the address bar or security indicators. This allows the attacker to overlay a fake UI on top of the real one, making a malicious page appear as a trusted domain, such as a corporate login portal or a banking website, thereby facilitating phishing and other social engineering attacks.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk to the organization. Successful exploitation could lead to severe consequences, including the compromise of sensitive corporate and personal data, unauthorized access to internal systems, and significant financial loss. The primary risk is large-scale credential theft from employees who are tricked by the spoofed UI, which could serve as an entry point for broader network intrusions and ransomware attacks, leading to substantial operational disruption and reputational damage.

Immediate Action: Update all instances of Google Chrome to version 144.0.7559.59 or later to patch the vulnerability. System administrators should use enterprise management tools to enforce this update across all corporate devices. Following the update, monitor for any signs of exploitation attempts that may have occurred prior to patching and review relevant access logs for unusual activity.

Proactive Monitoring: Implement enhanced monitoring of network traffic for connections to suspicious or newly registered domains. Utilize endpoint detection and response (EDR) solutions to flag unusual browser process behavior. Security teams should review web proxy and DNS logs for patterns indicative of users being redirected to malicious sites that may be leveraging this UI spoofing technique.

Compensating Controls: If immediate patching is not feasible, organizations should enforce the use of web filtering and email security gateways to block access to known malicious websites. Enhance user awareness training, specifically instructing employees to be skeptical of login prompts and to manually verify website addresses, especially when dealing with sensitive information. Consider using multi-factor authentication (MFA) across all services to mitigate the impact of potential credential theft.

Public Exploit Available: false

Given the critical CVSS score of 9.8, we strongly recommend that organizations prioritize the immediate patching of this vulnerability across all endpoints. The risk of credential compromise and subsequent network intrusion is severe. Although this vulnerability is not currently listed on the CISA KEV catalog, its high severity rating warrants an urgent and comprehensive response to prevent potential exploitation. All vulnerable Google Chrome installations should be updated to a patched version without delay.