Primary

Context

Google Chrome Compositing UI Spoofing Vulnerability

Vulnerability

Patched

A UI spoofing vulnerability has been identified in Google Chrome versions prior to 140.0.7339.80. This issue arises from an inappropriate implementation in the compositing process, which allows remote attackers to create crafted HTML pages that deceive users by manipulating the user interface.

Impact

Exploitation of this vulnerability can lead to UI spoofing, where a maliciously crafted HTML page tricks users into interacting with permission prompts, potentially bypassing the intended denial of those permissions.

Reproduction

The vulnerability can be reproduced by embedding a 'permission' tag within a parent element that applies a 'webkit-text-stroke' style. This combination can obscure the text in the 'permission' tag, creating a false impression that a permission is being actively requested or acknowledged, even when it is not.

Remediation

Users can update to Google Chrome version 140.0.7339.80 or later to address this vulnerability.

Added: Nov 14, 2025, 3:18 AM

Updated: Nov 14, 2025, 3:18 AM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.1

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.1

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Google Chrome Compositing UI Spoofing Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Google Chrome

Chromium

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating