CVE-2026-5905 Overview
CVE-2026-5905 is a security user interface flaw in the Permissions component of Google Chrome on Windows. The vulnerability affects Chrome versions prior to 147.0.7727.55 and allows a remote attacker to perform domain spoofing through a crafted HTML page. The issue is categorized under CWE-451: User Interface (UI) Misrepresentation of Critical Information. Google rated the Chromium security severity as Low, while the NVD assigned a medium CVSS score reflecting the integrity impact from user-facing deception.
Critical Impact
A remote attacker can manipulate Chrome's permissions UI to misrepresent the originating domain, enabling phishing and credential theft against users who interact with the spoofed prompt.
Affected Products
- Google Chrome on Windows prior to 147.0.7727.55
- Microsoft Windows hosts running vulnerable Chrome builds
- Chromium-based browsers sharing the same permissions UI code path
Discovery Timeline
- 2026-04-08 - CVE-2026-5905 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-5905
Vulnerability Analysis
The vulnerability resides in Chrome's Permissions subsystem, which displays prompts requesting user consent for sensitive APIs such as geolocation, camera, microphone, and notifications. The permissions UI fails to correctly represent the requesting origin under certain conditions, allowing the displayed domain context to diverge from the actual origin invoking the prompt.
An attacker who hosts a crafted HTML page can trigger the permissions prompt and cause it to render misleading origin information. Users relying on the security indicator to make trust decisions may approve sensitive permissions believing they are interacting with a legitimate site. The issue requires user interaction, since the victim must engage with the spoofed prompt, but no privileges or authentication are required from the attacker.
Root Cause
The root cause is improper handling of origin display logic within the Permissions UI, which falls under CWE-451. The browser presents critical security information (the requesting origin) in a way that does not accurately reflect the underlying security context. Chromium tracked the defect as Issue #483899628.
Attack Vector
Exploitation occurs over the network with low attack complexity. The attacker delivers a crafted HTML page through a phishing link, malicious advertisement, or compromised website. When the victim visits the page, Chrome renders a permissions prompt with spoofed domain context. The vulnerability primarily impacts integrity by deceiving the user, without directly affecting confidentiality or availability of the browser process.
No verified proof-of-concept code is publicly available. Technical reproduction details are referenced in the Chromium Issue Tracker entry and the Chrome Releases announcement.
Detection Methods for CVE-2026-5905
Indicators of Compromise
- Browser telemetry showing permissions grants (geolocation, notifications, camera, microphone) to recently registered or low-reputation domains
- HTTP referer chains where users transitioned from a phishing landing page directly into a permissions prompt event
- Outbound DNS or web proxy logs to domains hosting crafted HTML pages associated with permission abuse campaigns
Detection Strategies
- Inventory Chrome installations across Windows endpoints and flag any version below 147.0.7727.55
- Correlate browser process telemetry with newly granted site permissions and compare against allowlisted business domains
- Monitor for phishing infrastructure delivering HTML payloads that invoke Notification.requestPermission(), navigator.geolocation, or getUserMedia immediately on page load
Monitoring Recommendations
- Enable enterprise reporting through Chrome Browser Cloud Management to collect version and extension inventory
- Forward browser event logs to a centralized SIEM and alert on permission grants to uncategorized domains
- Track user-reported phishing incidents and pivot on indicators to identify additional victims of UI spoofing
How to Mitigate CVE-2026-5905
Immediate Actions Required
- Update Google Chrome on all Windows endpoints to version 147.0.7727.55 or later
- Verify automatic update channels are functional and that Chrome relaunches to apply the fix
- Communicate the risk to users and reinforce caution when approving browser permission prompts
Patch Information
Google released the fix in the Stable Channel update for desktop documented in the Chrome Releases blog. Administrators should deploy Chrome 147.0.7727.55 or newer. Chromium-based browsers should be updated to the corresponding upstream-patched release from their respective vendors.
Workarounds
- Use Chrome enterprise policies to set DefaultGeolocationSetting, DefaultNotificationsSetting, and related permission defaults to block (value 2) until patching is complete
- Restrict browsing to trusted sites via web filtering or DNS protection to reduce exposure to crafted HTML pages
- Train users to verify the origin in the address bar before approving any browser permission request
# Verify installed Chrome version on Windows
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# Example Chrome enterprise policy to disable permission prompts (Group Policy registry)
reg add "HKLM\Software\Policies\Google\Chrome" /v DefaultGeolocationSetting /t REG_DWORD /d 2 /f
reg add "HKLM\Software\Policies\Google\Chrome" /v DefaultNotificationsSetting /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
