Cyber Resilience

CVE-2026-0907

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 15.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0907 is a critical-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0907 involves an incorrect security UI in the Split View feature of Google Chrome prior to version 144.0.7559.59. This vulnerability enables a remote attacker to perform UI spoofing via a crafted HTML page. It is classified under CWE-451 (User Interface Misrepresentation), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), though Chromium assesses its security severity as Low.

A remote attacker without privileges can exploit this issue by luring a user to a malicious site hosting the crafted HTML page. Exploitation results in UI spoofing, allowing the attacker to misrepresent the browser's interface in Split View, potentially tricking users into disclosing sensitive information or executing unintended actions, aligning with the high-impact CVSS metrics for confidentiality, integrity, and availability.

Google's stable channel update for desktop to version 144.0.7559.59 addresses this vulnerability, as detailed in the release announcement at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html. Further technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/444653104. Practitioners should prioritize updating affected Chrome installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The vulnerability enables UI spoofing via a crafted HTML page on a malicious site that users are lured to, facilitating drive-by compromise (T1189) and user execution via malicious link (T1204.001) to trick users into disclosing information or performing unintended actions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0906Same product: Apple Macos
CVE-2025-8292Same product: Apple Macos
CVE-2026-3543Same product: Apple Macos
CVE-2025-8882Same product: Apple Macos
CVE-2026-4447Same product: Apple Macos
CVE-2025-10892Same product: Apple Macos
CVE-2026-5286Same product: Apple Macos
CVE-2026-4442Same product: Apple Macos
CVE-2026-9933Same product: Apple Macos
CVE-2026-4443Same product: Apple Macos

Affected Assets

google
chrome
≤ 144.0.7559.59 · ≤ 144.0.7559.60

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely patching of the vulnerable Chrome version to version 144.0.7559.59, eliminating the UI spoofing flaw in Split View.

detect

Enables regular vulnerability scanning to identify systems running vulnerable Chrome versions affected by this UI spoofing issue.

prevent

Ensures receipt and implementation of vendor security advisories, such as the Chrome stable channel update announcement fixing this vulnerability.

References