CVE-2026-0906

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of flaws like the Chrome Omnibox spoofing vulnerability through patching to version 144.0.7559.59 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables automated vulnerability scanning to identify deployments of vulnerable Chrome versions on Android affected by this Omnibox spoofing issue.

SI-5 Security Alerts, Advisories, and Directives partial match

preventdetect

Requires monitoring and implementing security advisories such as the Chrome Releases announcement addressing this specific UI spoofing vulnerability.

Security SummaryAI

CVE-2026-0906 is an incorrect security UI vulnerability affecting Google Chrome on Android in versions prior to 144.0.7559.59. The flaw allows a remote attacker to spoof the contents of the Omnibox, or URL bar, via a crafted HTML page. It is associated with CWE-451 (User Interface Misrepresentation of Critical Information) and carries a Chromium security severity rating of Low, though the CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by hosting a malicious HTML page on a website and luring a targeted user to visit it. Upon loading the page in a vulnerable Chrome version on Android, the attacker can spoof the Omnibox display, misleading the user about the actual URL. This enables deception such as phishing, where victims might be tricked into entering credentials or interacting with fraudulent content, potentially leading to high impacts on confidentiality, integrity, and availability as indicated by the CVSS metrics.

Mitigation is available through updating Google Chrome on Android to version 144.0.7559.59 or later, which patches the issue. Additional details are provided in the Chrome Releases announcement at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html and the Chromium bug tracker at https://issues.chromium.org/issues/467448811.

Details

CWE(s): CWE-451

Affected Products

google

chrome

≤ 144.0.7559.59 · ≤ 144.0.7559.60

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability allows spoofing the Omnibox/URL bar via crafted HTML, directly facilitating spearphishing links by misleading users about the site's legitimacy and tricking them into entering credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/467448811
Issue Tracking, Permissions Required · chrome-cve-admin@google.com