Login Sign Up

CVE-2026-0901

5.4 MEDIUM

📋 TL;DR

This vulnerability allows attackers to spoof user interface elements in Chrome on Android, potentially tricking users into interacting with malicious content. It affects Android users running Chrome versions before 144.0.7559.59. The issue stems from improper implementation in Blink, Chrome's rendering engine.

💻 Affected Systems

Products:
  • Google Chrome
Versions: Versions prior to 144.0.7559.59
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Chrome on Android; desktop versions and other browsers are not vulnerable.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create convincing fake login dialogs, payment screens, or system alerts that trick users into entering sensitive information or performing unintended actions.

🟠

Likely Case

Phishing attacks where users are tricked into clicking malicious elements or entering credentials into spoofed UI components.

🟢

If Mitigated

Minimal impact if users are trained to recognize phishing attempts and verify URLs before interacting with sensitive UI elements.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction with a crafted HTML page but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 144.0.7559.59

Vendor Advisory: https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html

Restart Required: Yes

Instructions:

1. Open Chrome on Android. 2. Go to Settings > About Chrome. 3. Chrome will automatically check for and apply updates. 4. Restart Chrome if prompted.

🔧 Temporary Workarounds

Disable JavaScript

android

Prevents execution of malicious scripts that could exploit the vulnerability.

Settings > Site settings > JavaScript > Block

Use alternative browser

android

Switch to a different browser until Chrome is updated.

🧯 If You Can't Patch

  • Implement web filtering to block access to untrusted websites
  • Educate users about phishing risks and UI spoofing techniques

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings > About Chrome. If version is below 144.0.7559.59, the device is vulnerable.

Check Version:

chrome://version/ in Chrome address bar

Verify Fix Applied:

Confirm Chrome version is 144.0.7559.59 or higher in Settings > About Chrome.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user reports of suspicious UI elements or unexpected dialog behavior

Network Indicators:

  • HTTP requests to known malicious domains hosting crafted HTML pages

SIEM Query:

source="chrome_logs" AND (event="security_alert" OR event="phishing_attempt")

📊 Metadata

CVE ID: CVE-2026-0901
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-451
EPSS Score: 0.03% exploit probability (8.3th percentile)
Published: January 20, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0901, you might also want to check these:

CVE-2025-8043 9.8

This vulnerability involves incorrect URL truncation in Firefox and Thunderbird, which could allow a...

Same vulnerability type (CWE-451)
CVE-2026-2634 9.8

This vulnerability in Firefox for iOS allows malicious scripts to desynchronize the address bar from...

Same vulnerability type (CWE-451)
CVE-2026-0906 9.8

This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, pote...

Same vulnerability type (CWE-451)