CVE-2026-8584 Google CVE debrief

Who should care

Organizations with iOS device fleets using Google Chrome; security teams monitoring browser security posture; mobile application security practitioners; incident responders investigating potential browser-based social engineering campaigns.

Technical summary

The vulnerability exists in the Views implementation of Google Chrome on iOS. An attacker who has already achieved renderer process compromise can leverage this flaw to perform UI spoofing through a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L) reflects network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, with low confidentiality impact, no integrity impact, and low availability impact. The fix was released in Chrome iOS version 148.0.7778.168.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on iOS devices to version 148.0.7778.168 or later
• Monitor for unexpected UI behavior in Chrome on iOS that may indicate renderer compromise
• Apply standard browser security hygiene including avoiding untrusted sites and suspicious links
• Review Chromium security advisories for additional context on renderer process hardening

Evidence notes

CVE published 2026-05-14; modified 2026-05-19. Vendor advisory confirms fix in Chrome iOS 148.0.7778.168. Chromium issue tracker reference requires permissions to access full details. CPE data indicates vulnerability affects Google Chrome on iOS; Apple iPhone OS listed as non-vulnerable platform context.

Official resources