Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3925

CVE-2026-3925: Google Chrome Android XSS Vulnerability

CVE-2026-3925 is a UI spoofing XSS vulnerability in Google Chrome for Android affecting versions before 146.0.7680.71. Attackers can exploit this flaw via crafted HTML pages. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-3925 Overview

CVE-2026-3925 is a UI spoofing vulnerability in Google Chrome's LookalikeChecks component affecting Android devices running versions prior to 146.0.7680.71. The vulnerability stems from incorrect security UI implementation that allows remote attackers to deceive users through crafted HTML pages, potentially leading to phishing attacks and credential theft.

Critical Impact

Attackers can exploit this vulnerability to display misleading security indicators in Chrome for Android, potentially tricking users into believing they are visiting legitimate websites when they are actually on malicious lookalike domains.

Affected Products

  • Google Chrome for Android prior to version 146.0.7680.71
  • LookalikeChecks component in Chrome Mobile

Discovery Timeline

  • 2026-03-11 - CVE CVE-2026-3925 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-3925

Vulnerability Analysis

This vulnerability is classified under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The LookalikeChecks feature in Google Chrome is designed to protect users from deceptive websites that use domain names similar to legitimate sites. When this security mechanism fails to properly render security indicators, attackers can craft malicious pages that bypass these protections.

The flaw allows remote attackers to manipulate how security-related UI elements are displayed to users. This is particularly dangerous on mobile devices where screen real estate is limited and users may rely more heavily on visual security cues to determine site legitimacy.

Root Cause

The root cause lies in improper handling of security UI elements within Chrome's LookalikeChecks implementation on Android. The component fails to correctly validate and display security warnings when processing specially crafted HTML content, resulting in misleading security indicators being shown to users.

Attack Vector

The attack is network-based and requires user interaction. An attacker must convince a victim to navigate to a malicious webpage containing specially crafted HTML. Once the user visits the page, the incorrect security UI allows the attacker to:

  1. Display fraudulent security indicators that mimic legitimate sites
  2. Suppress or modify lookalike domain warnings
  3. Create convincing phishing pages that appear trustworthy

The vulnerability can be exploited by hosting a malicious HTML page that exploits the incorrect security UI rendering in Chrome's LookalikeChecks component. When a victim navigates to this page on an affected Chrome for Android version, the security indicators may be manipulated to display misleading information about the site's identity. For detailed technical information, refer to the Chromium Issue Tracker Entry.

Detection Methods for CVE-2026-3925

Indicators of Compromise

  • Unusual browser behavior when displaying security warnings on Android devices
  • Users reporting trusted site indicators on suspicious domains
  • Network traffic to known lookalike domains that should trigger warnings but don't
  • Increased phishing-related incidents targeting Chrome for Android users

Detection Strategies

  • Monitor for Chrome for Android versions prior to 146.0.7680.71 across the organization
  • Implement browser version compliance checks in MDM solutions
  • Deploy network monitoring to detect access to known phishing or lookalike domains
  • Review user reports of suspicious security indicator behavior

Monitoring Recommendations

  • Enable Chrome browser policy logging to track version compliance
  • Configure endpoint detection to alert on outdated Chrome installations on Android devices
  • Monitor security team channels for reports of UI spoofing incidents
  • Track Chromium security advisories for related vulnerabilities

How to Mitigate CVE-2026-3925

Immediate Actions Required

  • Update Google Chrome for Android to version 146.0.7680.71 or later immediately
  • Enable automatic updates for Chrome on all managed Android devices
  • Alert users about potential phishing attempts exploiting this vulnerability
  • Consider temporary restrictions on accessing untrusted websites until patches are applied

Patch Information

Google has addressed this vulnerability in Chrome version 146.0.7680.71. The fix corrects the security UI implementation in the LookalikeChecks component to properly display security indicators. Organizations should reference the Google Chrome Update Announcement for complete details on all security fixes included in this release.

Workarounds

  • Educate users to manually verify URLs in the address bar rather than relying solely on visual security indicators
  • Implement web filtering to block access to known lookalike domains
  • Consider deploying alternative browsers temporarily on Android devices until Chrome can be updated
  • Use mobile device management (MDM) to enforce minimum browser version requirements

Organizations using Mobile Device Management should ensure policies are configured to enforce Chrome updates:

# Example MDM policy configuration for Chrome version enforcement
# Require minimum Chrome version on managed Android devices
ChromeMinimumVersion: 146.0.7680.71
AutoUpdateEnabled: true
BlockOutdatedBrowsers: true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne