EPSS Score
Source: FIRST.org · 2026-05-23
0.97%
probability
This CVE has a 0.97% probability
of being exploited in the next 30 days.
0%
Top 76.9th percentile of all CVEs
100%
CVSS v3.1
Source: NVD6.5
MEDIUM
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS v2 (legacy)
4.3
MEDIUM
Access Vector
Network
Access Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
NVDIncorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
Affected Products
google
chrome
fedoraproject
fedora
debian
debian linux
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
Release Notes
Third Party Advisory
https://crbug.com/1111646
Exploit
Issue Tracking
Patch
Permissions Required
Third Party Advisory
https://security.gentoo.org/glsa/202104-08
Third Party Advisory
https://www.debian.org/security/2021/dsa-4886
Third Party Advisory
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
Release Notes
Third Party Advisory
Signal Intelligence
Confidence
85%
EPSS
0.97%
CVSS v3.1
6.5
Mentions
2
Last Seen
Mar 09, 2021
CNA Information
Analyst Note
Article [1] explicitly names this as 'actively exploited Chrome zero-day bug' fixed by Google in 2021, confirming in-the-wild exploitation. The CVE year (2021) aligns with the fix timeline, indicating exploitation preceded or coincided with patch availability. Article [2] mentions Microsoft Patch Tuesday with zero-days, but the first source provides direct zero-day confirmation for this specific CVE.
Triage Info
Decided atMar 20, 2026