CVE-2026-9110

Published May 20, 2026

Last updated a month ago

CVSS medium 4.2

Overview

Description
Inappropriate implementation in UI in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Critical)
Source
chrome-cve-admin@google.com
NVD status
Analyzed
Products
chrome

Risk scores

CVSS 3.1

Type
Secondary
Base score
4.2
Impact score
2.5
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-451

Social media

Hype score
Not currently trending

  1. 【Chrome更新推奨:WebRTC脆弱性と未修正Browser Fetch問題に注意】 Chrome/Chromium関連で、WebRTCのUse-after-free脆弱性CVE-2026-9111と、Windows上のUI spoofing脆弱性CVE-2026-9110が修正されています。

    @01ra66it

    23 May 2026

    332 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Google has patched two critical security flaws in Chrome that could let attackers take over your computer just by visiting a website — no download required. One flaw (CVE-2026-9111) could allow full remote code execution on Linux; the other (CVE-2026-9110) could let attackers

    @cybernewslive

    23 May 2026

    92 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. CVE-2026-9110:Inappropriate implementation in UI(Critical) CVE-2026-9111:Use after free in WebRTC(Critical) きょうもきょうとて・・・

    @d52425

    22 May 2026

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)CVE-2026-12469
  2. Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)CVE-2026-12468
  3. Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)CVE-2026-12463
  4. Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)CVE-2026-12461
  5. Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)CVE-2026-12467

References

Sources include official advisories and independent security research.