CVE-2026-11227 in Chrome
Summary
by MITRE • 06/05/2026
Incorrect security UI in Tab Hover Cards in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/05/2026
The vulnerability in question represents a security UI flaw within Google Chrome's tab hover cards functionality that existed prior to version 149.0.7827.53. This issue falls under the category of domain spoofing attacks where malicious actors could exploit the browser's user interface to deceive users into believing they are visiting a legitimate website when in fact they are interacting with a fraudulent domain. The flaw specifically manifested in how Chrome displayed domain information within hover cards that appear when users mouse over tabs, creating an opportunity for attackers to manipulate the visual representation of web addresses.
The technical implementation of this vulnerability stems from insufficient validation and sanitization of domain names within the tab hover card interface. When users hovered over browser tabs, the system would display domain information without proper security checks that could prevent maliciously crafted domain names from appearing legitimate. This weakness aligns with CWE-20, which addresses improper input validation, and more specifically relates to CWE-345, which deals with insufficient input validation for security-critical data. The flaw demonstrates a failure in the browser's security model to properly validate and present domain information in a manner that could mislead users about the true origin of web content.
From an operational perspective, this vulnerability creates significant risks for users who rely on visual cues to verify website authenticity. Attackers could craft domain names that appear similar to legitimate websites through various techniques such as homograph attacks, using characters from different scripts that visually resemble common latin characters, or employing subtle variations in domain naming that would not be immediately apparent to users. The low severity classification does not diminish the potential impact, as domain spoofing attacks can lead to successful phishing attempts, credential theft, and other malicious activities that compromise user security. This vulnerability directly relates to techniques described in the ATT&CK framework under T1566, which covers credential harvesting through social engineering and phishing attacks.
The mitigation approach for this vulnerability required Google to implement proper validation of domain names within the tab hover card interface, ensuring that displayed domain information accurately reflects the actual website being accessed. This involved updating the browser's security UI to prevent misleading presentations of domain names and implementing stricter validation mechanisms that could detect and reject potentially malicious domain variations. Users were advised to update to Chrome version 149.0.7827.53 or later to receive the necessary security patches that addressed this specific UI validation flaw. The fix demonstrates the importance of maintaining robust security controls in user interface elements where users make critical security decisions based on visual information.