Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14028

CVE-2026-14028: Google Chrome XSS Vulnerability

CVE-2026-14028 is an XSS flaw in Google Chrome for iOS that enables UI spoofing through crafted HTML pages. This post covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2026-14028 Overview

CVE-2026-14028 is a user interface spoofing vulnerability in Google Chrome for iOS versions prior to 150.0.7871.47. The flaw stems from incorrect security UI handling, categorized under [CWE-451] (User Interface Misrepresentation of Critical Information). A remote attacker can craft a malicious HTML page that manipulates security indicators shown to users. Exploitation requires the victim to perform specific UI gestures, making the attack conditional on user interaction. Google classified the Chromium security severity as Low, and the vulnerability affects Chrome running on Apple iPhone OS.

Critical Impact

Attackers can misrepresent security context in the Chrome iOS browser UI to convince users that malicious pages are legitimate, enabling phishing and credential theft workflows.

Affected Products

  • Google Chrome for iOS prior to 150.0.7871.47
  • Apple iPhone OS (iOS) devices running vulnerable Chrome builds
  • Any iOS deployment relying on Chrome as the primary browser

Discovery Timeline

  • 2026-06-30 - CVE-2026-14028 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-14028

Vulnerability Analysis

The vulnerability resides in the security UI layer of Chrome for iOS. Chrome renders indicators such as the address bar, lock icon, and certificate context to communicate trust state to the user. A crafted HTML page combined with specific user gestures causes Chrome to display security UI inconsistent with the actual origin or content. This mismatch enables UI spoofing attacks where an attacker-controlled page appears to belong to a trusted origin. The attack aligns with classic browser chrome spoofing patterns tracked under [CWE-451].

Root Cause

The root cause is improper synchronization between navigation state and security UI updates during user-initiated gestures. When the user performs certain interactions with an attacker-crafted page, Chrome fails to accurately reflect the true origin or navigation state. The iOS-specific WebKit constraints amplify this class of issue, since Chrome for iOS cannot ship its own rendering engine and must coordinate UI with underlying platform behavior.

Attack Vector

Exploitation requires network-based delivery of a crafted HTML page combined with user interaction. The attacker hosts or serves a malicious page, then convinces the user to visit it and perform specific UI gestures such as taps, scrolls, or navigation actions. Successful exploitation results in a spoofed browser UI that misrepresents the site's identity or security posture. The attack does not yield direct code execution or data disclosure but supports downstream phishing, credential harvesting, and social engineering campaigns.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Chromium Issue Tracker Entry for additional technical context.

Detection Methods for CVE-2026-14028

Indicators of Compromise

  • User reports of Chrome iOS sessions displaying inconsistent address bar content or unexpected origin transitions
  • Access logs showing users visiting suspicious HTML pages followed by credential submission to unrelated domains
  • Phishing lure URLs that specifically target iOS user agents and instruct users to perform tap or swipe gestures

Detection Strategies

  • Monitor mobile device management (MDM) inventory for Chrome iOS versions below 150.0.7871.47
  • Correlate proxy or DNS telemetry with newly registered domains hosting HTML content designed for mobile browser interaction
  • Inspect email and messaging gateways for links directing iOS users to gesture-based interactive pages

Monitoring Recommendations

  • Track Chrome iOS version distribution across managed fleets and alert on outdated installations
  • Establish user reporting workflows so employees can flag suspicious browser UI behavior for triage
  • Review authentication logs for credential submissions originating from mobile browsers to unfamiliar destinations

How to Mitigate CVE-2026-14028

Immediate Actions Required

  • Update Chrome for iOS to version 150.0.7871.47 or later through the Apple App Store
  • Push forced updates through MDM policies where supported to ensure fleet-wide remediation
  • Communicate advisory guidance to end users, emphasizing verification of URLs before entering credentials on mobile

Patch Information

Google addressed CVE-2026-14028 in Chrome for iOS 150.0.7871.47. Refer to the Google Chrome Stable Update advisory for release details and the Chromium Issue Tracker Entry for the underlying fix reference.

Workarounds

  • Temporarily direct iOS users to Safari or another patched browser until Chrome is updated
  • Deploy phishing-resistant authentication such as FIDO2 hardware keys to reduce credential theft impact
  • Enforce user education campaigns focused on recognizing spoofed browser UI on mobile devices
bash
# Verify installed Chrome for iOS version via MDM query (example - Jamf Pro)
curl -s -u "$JAMF_USER:$JAMF_PASS" \
  "$JAMF_URL/JSSResource/mobiledeviceapplications/bundleid/com.google.chrome.ios" \
  | grep -E "<version>|<name>"

# Flag devices running versions below 150.0.7871.47 for remediation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.