CVE-2025-13636Authentication Bypass by Spoofing in Google Chrome

CWE-290Authentication Bypass by SpoofingCWE-449The UI Performs the Wrong ActionCWE-59Link Following10 documents9 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 68.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google ChromeChromium
Timeline
PublishedDec 2
Latest updateDec 17

Description

Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5google/chrome143.0.7499.41143.0.7499.41
NVDgoogle/chrome< 143.0.7499.40
Debianchromium/chromium< 143.0.7499.40-1~deb12u1+2

🔴Vulnerability Details

3
CVEList
CVE-2025-13636: Inappropriate implementation in Split View in Google Chrome prior to 1432025-12-02
GHSA
GHSA-6pgw-376w-jrxx: Inappropriate implementation in Split View in Google Chrome prior to 1432025-12-02
OSV
CVE-2025-13636: Inappropriate implementation in Split View in Google Chrome prior to 1432025-12-02

📋Vendor Advisories

5
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2025-136362025-12-17
Microsoft
Chromium: CVE-2025-13636 Inappropriate implementation in Split View2025-12-09
Red Hat
chromium-browser: Inappropriate implementation in Split View2025-12-02
Debian
CVE-2025-13636: chromium - Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499....2025
Microsoft
In GNU patch through 2.7.6 the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.2019-07-09

🕵️Threat Intelligence

1
Bleepingcomputer
Microsoft December 2025 Patch Tuesday fixes 3 zero-days, 57 flaws2025-12-09
CVE-2025-13636 — Authentication Bypass by Spoofing | cvebase