Cyber Resilience

CVE-2026-0906

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 18.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0906 is a critical-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0906 is an incorrect security UI vulnerability affecting Google Chrome on Android in versions prior to 144.0.7559.59. The flaw allows a remote attacker to spoof the contents of the Omnibox, or URL bar, via a crafted HTML page. It is associated with CWE-451 (User Interface Misrepresentation of Critical Information) and carries a Chromium security severity rating of Low, though the CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by hosting a malicious HTML page on a website and luring a targeted user to visit it. Upon loading the page in a vulnerable Chrome version on Android, the attacker can spoof the Omnibox display, misleading the user about the actual URL. This enables deception such as phishing, where victims might be tricked into entering credentials or interacting with fraudulent content, potentially leading to high impacts on confidentiality, integrity, and availability as indicated by the CVSS metrics.

Mitigation is available through updating Google Chrome on Android to version 144.0.7559.59 or later, which patches the issue. Additional details are provided in the Chrome Releases announcement at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html and the Chromium bug tracker at https://issues.chromium.org/issues/467448811.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

The vulnerability allows spoofing the Omnibox/URL bar via crafted HTML, directly facilitating spearphishing links by misleading users about the site's legitimacy and tricking them into entering credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0907Same product: Apple Macos
CVE-2026-5907Same product: Apple Macos
CVE-2026-7357Same product: Apple Macos
CVE-2026-10018Same product: Apple Macos
CVE-2026-8000Same product: Apple Macos
CVE-2026-4675Same product: Apple Macos
CVE-2026-7349Same product: Apple Macos
CVE-2026-7347Same product: Apple Macos
CVE-2026-4460Same product: Apple Macos
CVE-2026-7342Same product: Apple Macos

Affected Assets

google
chrome
≤ 144.0.7559.59 · ≤ 144.0.7559.60

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of flaws like the Chrome Omnibox spoofing vulnerability through patching to version 144.0.7559.59 or later.

detect

Enables automated vulnerability scanning to identify deployments of vulnerable Chrome versions on Android affected by this Omnibox spoofing issue.

preventdetect

Requires monitoring and implementing security advisories such as the Chrome Releases announcement addressing this specific UI spoofing vulnerability.

References