CVE-2026-0906
Published: 20 January 2026
Summary
CVE-2026-0906 is a critical-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of flaws like the Chrome Omnibox spoofing vulnerability through patching to version 144.0.7559.59 or later.
Enables automated vulnerability scanning to identify deployments of vulnerable Chrome versions on Android affected by this Omnibox spoofing issue.
Requires monitoring and implementing security advisories such as the Chrome Releases announcement addressing this specific UI spoofing vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows spoofing the Omnibox/URL bar via crafted HTML, directly facilitating spearphishing links by misleading users about the site's legitimacy and tricking them into entering credentials.
NVD Description
Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
Deeper analysisAI
CVE-2026-0906 is an incorrect security UI vulnerability affecting Google Chrome on Android in versions prior to 144.0.7559.59. The flaw allows a remote attacker to spoof the contents of the Omnibox, or URL bar, via a crafted HTML page. It is associated with CWE-451 (User Interface Misrepresentation of Critical Information) and carries a Chromium security severity rating of Low, though the CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by hosting a malicious HTML page on a website and luring a targeted user to visit it. Upon loading the page in a vulnerable Chrome version on Android, the attacker can spoof the Omnibox display, misleading the user about the actual URL. This enables deception such as phishing, where victims might be tricked into entering credentials or interacting with fraudulent content, potentially leading to high impacts on confidentiality, integrity, and availability as indicated by the CVSS metrics.
Mitigation is available through updating Google Chrome on Android to version 144.0.7559.59 or later, which patches the issue. Additional details are provided in the Chrome Releases announcement at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html and the Chromium bug tracker at https://issues.chromium.org/issues/467448811.
Details
- CWE(s)