{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5875", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:36.453Z", "datePublished": "2026-04-08T21:20:46.990Z", "dateUpdated": "2026-04-08T21:20:46.990Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Policy bypass"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:46.990Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/430198264"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5875", "lastModified": "2026-04-08T22:16:27.110", "metrics": {}, "published": "2026-04-08T22:16:27.110", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/430198264"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "chromium-browser: Policy bypass in Blink", "id": "2456790", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456790"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-1021", "details": ["A policy bypass flaw was found in the Blink component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=430198264"], "name": "CVE-2026-5875", "public_date": "2026-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5875\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5875\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html\nhttps://issues.chromium.org/issues/430198264"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "147.0.7727.55"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-10T01:36:11.922340+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or later."], "summary": {"action": "Apply Patch", "impact": "UI Spoofing via crafted HTML page"}, "threat_synthesis": {"affected_systems": "The affected product is Google Chrome for desktop environments. Versions prior to 147.0.7727.55 are vulnerable to the Blink policy bypass that permits UI spoofing. Updated releases of Chrome include mitigations that remove this flaw.", "description_and_impact": "A policy bypass in Chrome\u2019s Blink engine allows an attacker to deliver a malicious HTML page that can visually mimic legitimate pages, enabling phishing or social engineering attacks. The flaw does not grant code execution but can deceive users into trusting spoofed interfaces. The vulnerability is catalogued as Medium severity with a CVSS score of 5.4, reflecting surface-level impact focused on UI manipulation rather than system compromise.", "risk_and_exploitability": "Capitalizing on this defect requires a crafted HTML page served remotely, meaning the attacker must entice a user to load the page (typical phishing scenario). Because the exploitation surface does not involve privilege escalation or direct code execution, the EPSS score is below 1%, indicating low expected exploitation rates. The CVSS score signals medium risk, and the vulnerability is not listed in CISA\u2019s KEV catalog, so there is no confirmed widespread exploitation. Nonetheless, the attack vector presents a credible risk for deceptive UI attacks that could compromise user data or credentials if a user is convinced by the spoofed interface."}}}}, "created": "2026-04-09T08:17:27.510974+00:00", "updated": "2026-04-10T09:40:25.578080+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}