CVE-2026-0907

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely patching of the vulnerable Chrome version to version 144.0.7559.59, eliminating the UI spoofing flaw in Split View.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables regular vulnerability scanning to identify systems running vulnerable Chrome versions affected by this UI spoofing issue.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Ensures receipt and implementation of vendor security advisories, such as the Chrome stable channel update announcement fixing this vulnerability.

Security SummaryAI

CVE-2026-0907 involves an incorrect security UI in the Split View feature of Google Chrome prior to version 144.0.7559.59. This vulnerability enables a remote attacker to perform UI spoofing via a crafted HTML page. It is classified under CWE-451 (User Interface Misrepresentation), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), though Chromium assesses its security severity as Low.

A remote attacker without privileges can exploit this issue by luring a user to a malicious site hosting the crafted HTML page. Exploitation results in UI spoofing, allowing the attacker to misrepresent the browser's interface in Split View, potentially tricking users into disclosing sensitive information or executing unintended actions, aligning with the high-impact CVSS metrics for confidentiality, integrity, and availability.

Google's stable channel update for desktop to version 144.0.7559.59 addresses this vulnerability, as detailed in the release announcement at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html. Further technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/444653104. Practitioners should prioritize updating affected Chrome installations.

Details

CWE(s): CWE-451

Affected Products

google

chrome

≤ 144.0.7559.59 · ≤ 144.0.7559.60

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables UI spoofing via a crafted HTML page on a malicious site that users are lured to, facilitating drive-by compromise (T1189) and user execution via malicious link (T1204.001) to trick users into disclosing information or performing unintended actions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/444653104
Issue Tracking, Permissions Required · chrome-cve-admin@google.com