Description
Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI spoofing via malicious Picture-in-Picture overlays
Action: Patch Now
AI Analysis

Impact

The vulnerability is an incorrect security interface in the Picture-in-Picture feature of Google Chrome that lets a remote attacker use a crafted web page to display UI elements that appear legitimate. This graphic spoofing can deceive users into interacting with deceptive content or trusting a page that it is not. The impact is confined to the user interface and does not grant code execution or direct access to system data.

Affected Systems

All operating systems supported by Google Chrome are affected, as the flaw exists in the browser itself. The security issue applies to Chrome versions prior to 146.0.7680.71 and is present on macOS, Linux, and Windows platforms. Updating to the specified version or newer removes the incorrect UI behavior.

Risk and Exploitability

With a CVSS score of 4.3 and an EPSS of less than 1%, the risk is moderate and exploitation unlikely to be widespread. The flaw is not listed in the CISA KEV catalog, indicating no known active exploitation. The attack vector is inferred to be a normal web browsing session where a malicious site serves a specially crafted page that forces the browser to open Picture-in-Picture with a counterfeit security UI. Successful exploitation requires the target user to interact with the overlay, leading to possible user confusion or phishing.

Generated by OpenCVE AI on April 16, 2026 at 09:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Chrome update to version 146.0.7680.71 or later, which resolves the UI integrity flaw identified as CWE-451.
  • Configure Chrome policies or settings to disable or restrict Picture-in-Picture for untrusted web content, mitigating the UI spoofing defect (CWE-451).
  • Continuously monitor Chrome security releases and apply any subsequent fixes that address CWE-451 or similar UI vulnerabilities.

Generated by OpenCVE AI on April 16, 2026 at 09:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Incorrect security UI in PictureInPicture
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T12:50:13.977Z

Reserved: 2026-03-11T05:54:11.778Z

Link: CVE-2026-3927

cve-icon Vulnrichment

Updated: 2026-03-13T12:50:08.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:35.357

Modified: 2026-03-13T20:15:11.997

Link: CVE-2026-3927

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3927 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses