CVE-2026-0907
Published: 20 January 2026
Summary
CVE-2026-0907 is a critical-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely patching of the vulnerable Chrome version to version 144.0.7559.59, eliminating the UI spoofing flaw in Split View.
Enables regular vulnerability scanning to identify systems running vulnerable Chrome versions affected by this UI spoofing issue.
Ensures receipt and implementation of vendor security advisories, such as the Chrome stable channel update announcement fixing this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables UI spoofing via a crafted HTML page on a malicious site that users are lured to, facilitating drive-by compromise (T1189) and user execution via malicious link (T1204.001) to trick users into disclosing information or performing unintended actions.
NVD Description
Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Deeper analysisAI
CVE-2026-0907 involves an incorrect security UI in the Split View feature of Google Chrome prior to version 144.0.7559.59. This vulnerability enables a remote attacker to perform UI spoofing via a crafted HTML page. It is classified under CWE-451 (User Interface Misrepresentation), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), though Chromium assesses its security severity as Low.
A remote attacker without privileges can exploit this issue by luring a user to a malicious site hosting the crafted HTML page. Exploitation results in UI spoofing, allowing the attacker to misrepresent the browser's interface in Split View, potentially tricking users into disclosing sensitive information or executing unintended actions, aligning with the high-impact CVSS metrics for confidentiality, integrity, and availability.
Google's stable channel update for desktop to version 144.0.7559.59 addresses this vulnerability, as detailed in the release announcement at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html. Further technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/444653104. Practitioners should prioritize updating affected Chrome installations.
Details
- CWE(s)