CVE-2026-0904 is a security vulnerability identified in Google Chrome versions prior to 144.0.7559.59, related to an incorrect security user interface (UI) implementation within the Digital Credentials feature. The flaw allows a remote attacker to craft a malicious HTML page that can spoof domain information, misleading users into believing they are interacting with a legitimate website when they are not. This domain spoofing can facilitate phishing attacks, credential theft, or other social engineering exploits by undermining the trustworthiness of the browser's security indicators. The vulnerability does not require the attacker to have any prior authentication or elevated privileges, but it does require the victim to visit a maliciously crafted webpage. Although no known exploits have been reported in the wild, the potential for abuse exists given the widespread use of Google Chrome globally. The vulnerability impacts the confidentiality and integrity of user data by enabling attackers to impersonate trusted domains, potentially capturing sensitive information or credentials. The issue was publicly disclosed on January 20, 2026, with no CVSS score assigned yet. The security severity assigned by Chromium is medium, reflecting the moderate risk posed by UI spoofing attacks that rely on user interaction and social engineering. The vulnerability has been addressed in Chrome version 144.0.7559.59, and users are advised to update promptly to mitigate the risk.

For European organizations, this vulnerability poses a risk primarily through phishing and social engineering attacks that exploit the browser's UI to spoof trusted domains. This can lead to unauthorized disclosure of sensitive information, credential compromise, and potential downstream impacts such as unauthorized access to corporate resources or financial fraud. Organizations with employees who frequently access web-based services or handle sensitive data via Chrome browsers are particularly vulnerable. The impact on confidentiality and integrity is significant, as attackers can deceive users into submitting credentials or sensitive data to malicious sites. Availability is less directly impacted, but successful exploitation could lead to broader security incidents affecting service continuity. The lack of known exploits in the wild reduces immediate risk, but the widespread use of Chrome in Europe and the reliance on digital credentials heighten the potential impact if exploited. Regulatory compliance frameworks such as GDPR also increase the importance of addressing such vulnerabilities promptly to avoid data breaches and associated penalties.

1. Immediately update all Google Chrome installations to version 144.0.7559.59 or later to apply the security fix. 2. Implement enterprise-wide browser update policies to ensure timely patching of vulnerabilities. 3. Educate users on recognizing phishing attempts and verifying website authenticity beyond browser UI cues, including checking URLs carefully and using multi-factor authentication. 4. Deploy web filtering solutions that can block access to known malicious sites and suspicious URLs. 5. Monitor network traffic for unusual patterns that may indicate phishing or spoofing attempts. 6. Encourage the use of password managers that autofill credentials only on verified domains to reduce the risk of credential theft. 7. Conduct regular security awareness training emphasizing the risks of UI spoofing and social engineering. 8. For critical systems, consider browser isolation or sandboxing technologies to limit exposure to malicious web content.