CVE-2026-0906
📋 TL;DR
This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, potentially tricking users into believing they're on a legitimate website when they're actually on a malicious one. Only Android users running Chrome versions before 144.0.7559.59 are affected.
💻 Affected Systems
- Google Chrome
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Users could be tricked into entering sensitive credentials or financial information into what appears to be a legitimate banking or service website, leading to account compromise and financial loss.
Likely Case
Phishing attacks where users are deceived into visiting malicious sites that appear legitimate, potentially leading to credential theft or malware installation.
If Mitigated
Users who verify URLs carefully or use additional security measures like password managers with URL verification would be protected despite the spoofing attempt.
🎯 Exploit Status
Exploitation requires user interaction (visiting a crafted HTML page) but no authentication or special permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 144.0.7559.59 and later
Vendor Advisory: https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
Restart Required: Yes
Instructions:
1. Open Google Play Store 2. Search for Chrome 3. Update to version 144.0.7559.59 or higher 4. Restart Chrome
🔧 Temporary Workarounds
Use alternative browser
androidTemporarily switch to a different browser until Chrome is updated
Disable JavaScript
androidPrevents the crafted HTML from executing spoofing code
Chrome Settings > Site Settings > JavaScript > Block
🧯 If You Can't Patch
- Educate users to manually verify URLs by checking the full address bar before entering sensitive information
- Implement network filtering to block known malicious domains that might exploit this vulnerability
🔍 How to Verify
Check if Vulnerable:
Check Chrome version in Settings > About Chrome. If version is below 144.0.7559.59, the device is vulnerable.Check Version:
chrome://version/Verify Fix Applied:
Confirm Chrome version is 144.0.7559.59 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns in web logs
- Multiple failed authentication attempts from spoofed domains
Network Indicators:
- Traffic to domains with suspicious URL structures
- HTTPS connections to non-standard ports
SIEM Query:
source="web_proxy" AND (url CONTAINS "lookalike_domain" OR url MATCHES "*spoof*" OR status_code=401)