CVE-2026-0907 Overview
CVE-2026-0907 is a user interface spoofing vulnerability in Google Chrome's Split View feature affecting versions prior to 144.0.7559.59. The flaw, classified as [CWE-451] (User Interface Misrepresentation of Critical Information), allows a remote attacker to deceive users about the origin or security state of content rendered in the browser. Exploitation requires the victim to visit a crafted HTML page. Google rates the underlying Chromium security severity as Low, while NVD scoring elevates the network-exploitable nature of the issue. The vulnerability was addressed in the Stable channel update for desktop released by Google in January 2026.
Critical Impact
A crafted web page can manipulate Split View UI elements to misrepresent the origin or trust state of displayed content, enabling phishing and credential theft.
Affected Products
- Google Chrome prior to 144.0.7559.59 on Microsoft Windows
- Google Chrome prior to 144.0.7559.59 on Apple macOS
- Google Chrome prior to 144.0.7559.59 on Linux
Discovery Timeline
- 2026-01-20 - CVE-2026-0907 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-0907
Vulnerability Analysis
The vulnerability resides in Chrome's Split View functionality, a feature that renders two browsing contexts side by side within a single window. Chrome's security UI, including the origin indicator and address bar, must accurately reflect the active document for each pane. The Split View implementation prior to 144.0.7559.59 fails to maintain this invariant under attacker-controlled conditions.
This class of flaw falls under [CWE-451], where the browser presents information that does not match the actual security state. A successful spoof can convince users they are interacting with a trusted origin when the underlying content is attacker-controlled. The practical impact is amplified in phishing scenarios targeting banking, enterprise SSO, or webmail interfaces.
The Chromium project classified the underlying issue as Low severity. NVD applies a network attack vector score because exploitation occurs through standard web navigation without privileges or user authentication.
Root Cause
The root cause is improper synchronization between the Split View rendering pipeline and the security indicator subsystem. A crafted HTML page can trigger a state where UI elements such as origin labels or padlock indicators do not accurately reflect the document loaded in the adjacent pane. Technical specifics are tracked in the Chromium Issue Tracker Entry.
Attack Vector
Exploitation requires a victim to load a malicious HTML page in a Chrome instance with Split View active or to be enticed into opening Split View while viewing attacker content. The attacker does not need authentication or local access. The crafted page manipulates DOM and navigation primitives to desynchronize the displayed origin from the rendered content, producing a convincing spoof of a legitimate site.
No public proof-of-concept code, exploit, or active exploitation has been reported. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-0907
Indicators of Compromise
- Browser telemetry showing Chrome versions older than 144.0.7559.59 connecting to recently registered or low-reputation domains hosting HTML content that invokes Split View navigation patterns.
- Reports from users describing inconsistent address bar behavior, mismatched origin indicators, or unexpected Split View activation.
- Phishing landing pages referencing Chrome-specific UI features in their HTML or JavaScript.
Detection Strategies
- Inventory Chrome installations across the fleet and flag any version below 144.0.7559.59 for prioritized patching.
- Inspect web proxy and DNS logs for traffic to domains delivering phishing kits that target Chrome users, particularly pages combining credential forms with iframe or popup manipulation.
- Correlate browser version data from endpoint agents with user-reported phishing incidents to identify exploitation attempts.
Monitoring Recommendations
- Enable browser management policies that report installed Chrome versions to a central console.
- Monitor authentication systems for credential submission anomalies that may indicate successful phishing following a UI spoof.
- Subscribe to the Google Chrome Releases blog for ongoing security advisory updates.
How to Mitigate CVE-2026-0907
Immediate Actions Required
- Update Google Chrome to version 144.0.7559.59 or later on all Windows, macOS, and Linux endpoints.
- Force a browser restart after the update to ensure the patched binary is loaded.
- Verify enterprise update channels (Chrome Browser Cloud Management, Group Policy, MDM) are delivering the patched build to all managed devices.
Patch Information
Google released the fix in the Stable channel update for desktop on January 13, 2026. Details are documented in the Stable Channel Update for Desktop advisory. The patched version is 144.0.7559.59 across Windows, macOS, and Linux.
Workarounds
- Disable or avoid using the Split View feature until Chrome is updated on all endpoints.
- Reinforce phishing awareness training, emphasizing verification of URLs through means other than visual inspection of the address bar.
- Deploy enforced auto-update policies so security patches reach users without manual intervention.
# Verify installed Chrome version on Linux
google-chrome --version
# Verify on macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Verify on Windows (PowerShell)
(Get-Item "$env:ProgramFiles\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
