Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13955

CVE-2026-13955: Google Chrome UI Spoofing Vulnerability

CVE-2026-13955 is a UI spoofing vulnerability in Google Chrome for Android that allows local attackers to manipulate the user interface. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-13955 Overview

CVE-2026-13955 is a user interface (UI) spoofing vulnerability in the CustomTabs component of Google Chrome on Android. The flaw stems from insufficient validation of untrusted input in versions prior to 150.0.7871.47. A local attacker can leverage a malicious file to spoof UI elements rendered inside CustomTabs, misleading the user about the origin or content displayed by the browser. Google classifies this issue at Medium severity within the Chromium project, while the NVD assigns a lower base score reflecting the local attack vector and required user interaction. The weakness is tracked as CWE-20: Improper Input Validation.

Critical Impact

A local attacker can craft a malicious file that triggers UI spoofing inside Chrome CustomTabs on Android, enabling phishing and impersonation of trusted content.

Affected Products

  • Google Chrome on Android prior to 150.0.7871.47
  • Google Android platform hosting affected Chrome builds
  • Any application embedding Chrome CustomTabs on affected Chrome versions

Discovery Timeline

  • 2026-06-30 - CVE-2026-13955 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-13955

Vulnerability Analysis

CustomTabs is an Android feature that allows applications to embed a Chrome-rendered browsing surface while retaining branded UI elements such as the toolbar and URL bar. CVE-2026-13955 arises because Chrome does not adequately validate untrusted input that influences rendering within this surface. When a malicious file is opened through an affected code path, the resulting content can manipulate CustomTabs UI states to imitate trusted browser chrome. The vulnerability does not grant code execution or data exfiltration on its own. Its value to an attacker lies in enabling convincing phishing pages that appear to originate from a legitimate origin displayed by the browser UI.

Root Cause

The root cause is improper input validation ([CWE-20]) in the CustomTabs component. Untrusted file content reaches rendering logic that governs UI presentation without sufficient sanitization or origin checks. This allows malicious inputs to influence visible browser UI cues that users rely on to establish trust.

Attack Vector

Exploitation requires local access and user interaction. An attacker must place a malicious file on the device and induce the user to open it in a context that invokes Chrome CustomTabs. Successful exploitation results in spoofed UI elements, but confidentiality is not directly impacted and no privilege escalation occurs. See the Chromium Issue Tracker Entry for additional technical context.

Detection Methods for CVE-2026-13955

Indicators of Compromise

  • Presence of Chrome for Android builds below 150.0.7871.47 on managed devices.
  • Delivery of unusual file types through messaging apps, email, or sideloaded packages that trigger CustomTabs launches.
  • User reports of browser UI inconsistencies, such as mismatched URLs or unexpected branding within CustomTabs surfaces.

Detection Strategies

  • Inventory installed Chrome versions across Android fleets using mobile device management (MDM) telemetry and flag versions below the fixed build.
  • Monitor for applications that invoke CustomTabs intents with file:// or content:// URIs referencing untrusted sources.
  • Correlate phishing report submissions with Android endpoints running vulnerable Chrome versions.

Monitoring Recommendations

  • Track Chrome update compliance on Android endpoints through enterprise mobility platforms.
  • Alert on user-reported credential entry into pages launched via CustomTabs when the source application is untrusted.
  • Review MDM logs for file-open events that immediately precede Chrome CustomTabs activity.

How to Mitigate CVE-2026-13955

Immediate Actions Required

  • Update Google Chrome for Android to version 150.0.7871.47 or later through the Google Play Store.
  • Enforce automatic Chrome updates on managed Android devices via MDM policy.
  • Educate users to verify URLs and avoid opening unsolicited files delivered through messaging or email.

Patch Information

Google addressed the flaw in the Chrome stable channel update announced on the Google Chrome Update Announcement. Upgrading Chrome on Android to 150.0.7871.47 or later removes the vulnerable code path in CustomTabs input handling.

Workarounds

  • Restrict opening untrusted files on managed Android devices through MDM file-handling policies.
  • Disable or block third-party applications known to launch CustomTabs with untrusted file inputs until Chrome is updated.
  • Route sensitive workflows through standalone browser sessions rather than embedded CustomTabs surfaces where feasible.
bash
# Verify Chrome for Android version on a managed device via adb
adb shell dumpsys package com.android.chrome | grep versionName
# Expected: versionName=150.0.7871.47 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.