CVE-2026-0904 Overview
CVE-2026-0904 is an incorrect security UI vulnerability in the Digital Credentials component of Google Chrome prior to version 144.0.7559.59. This vulnerability allows a remote attacker to perform domain spoofing through a specially crafted HTML page, potentially deceiving users about the legitimacy of web content they are viewing.
Critical Impact
Attackers can exploit this vulnerability to spoof trusted domains, potentially leading to credential theft, phishing attacks, and user deception through manipulated security indicators in the browser.
Affected Products
- Google Chrome versions prior to 144.0.7559.59
- Chromium-based browsers using affected Digital Credentials components
Discovery Timeline
- 2026-01-20 - CVE-2026-0904 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2026-0904
Vulnerability Analysis
This vulnerability falls under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The flaw exists within Chrome's Digital Credentials feature, which is designed to handle digital identity and credential verification workflows in the browser. When processing specially crafted HTML content, the security UI fails to properly represent the true origin or domain of the content being displayed.
The vulnerability enables attackers to manipulate how domain information is presented to users within Chrome's security interfaces. This type of UI spoofing can be particularly dangerous because users rely on browser security indicators to make trust decisions when entering sensitive information or approving credential operations.
Root Cause
The root cause is improper validation and rendering of domain information within the Digital Credentials security UI component. When Chrome processes certain crafted HTML structures, it fails to correctly display the actual domain origin, allowing attackers to present misleading domain information that appears legitimate to the user.
Attack Vector
Exploitation requires user interaction—specifically, a victim must navigate to a malicious webpage containing the crafted HTML payload. The attack is network-based and does not require authentication. Once the victim visits the malicious page, the attacker can present spoofed domain information within Chrome's Digital Credentials UI, potentially tricking users into:
- Approving credential sharing with malicious domains disguised as legitimate services
- Entering sensitive authentication data on spoofed interfaces
- Trusting malicious content that appears to originate from trusted sources
The attack leverages the trust users place in browser security UI elements to make the spoofed content appear authentic.
Detection Methods for CVE-2026-0904
Indicators of Compromise
- Unusual Digital Credentials API calls from untrusted web pages
- User reports of unexpected credential prompts or domain displays
- Web traffic to domains known for hosting credential phishing attacks
- Browser console errors related to Digital Credentials feature misuse
Detection Strategies
- Monitor for anomalous HTML patterns in web traffic that may indicate UI spoofing attempts
- Deploy web filtering solutions to block access to known malicious domains exploiting this vulnerability
- Implement browser telemetry monitoring for unusual Digital Credentials component behavior
- Review security logs for credential-related operations initiated from suspicious origins
Monitoring Recommendations
- Enable Chrome enterprise logging to track Digital Credentials feature usage
- Configure endpoint detection solutions to alert on browser-based phishing indicators
- Monitor for user-reported phishing attempts that leverage domain spoofing techniques
- Track browser version compliance across the organization to identify unpatched instances
How to Mitigate CVE-2026-0904
Immediate Actions Required
- Update Google Chrome to version 144.0.7559.59 or later immediately
- Enable automatic updates for Chrome across all managed endpoints
- Notify users about potential phishing attacks leveraging browser UI spoofing
- Review recent credential operations for any suspicious activity
Patch Information
Google has released a security update addressing this vulnerability in Chrome version 144.0.7559.59. The patch corrects the improper UI rendering in the Digital Credentials component to ensure accurate domain information is displayed to users.
For detailed information about this security update, refer to the Google Chrome Stable Channel Update. Additional technical details can be found in the Chromium Issue Tracker.
Workarounds
- Educate users to verify domain information through multiple browser indicators before trusting credential prompts
- Consider temporarily disabling or restricting Digital Credentials features in enterprise Chrome policies until patching is complete
- Implement additional email and web filtering to block known phishing campaigns
- Deploy browser isolation solutions to reduce exposure when visiting untrusted sites
# Chrome Enterprise Policy Configuration
# Disable Digital Credentials until patch is applied (if applicable)
# Check Chrome policy documentation for specific registry/policy settings
# Force Chrome automatic updates
Google Chrome\Update\1.3.36.151\Update{8A69D345-D564-463C-AFF1-A69D9E530F96}=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
