Description
Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Interface Spoofing
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an incorrect security UI in Google Chrome’s Picture‑in‑Picture (PIP) mode. A remote attacker can craft an HTML page that triggers PIP and displays UI elements that appear legitimate but mimic system notifications or prompts, allowing the user to be deceived into interacting with malicious content. This constitutes user interface spoofing (CWE‑451) and could lead to social‑engineering attacks.

Affected Systems

Google Chrome browsers below version 146.0.7680.71 on any supported operating system—Windows, macOS, and Linux—are affected. The issue is present in the stable channel build and impacts all users who enable PIP on webpages.

Risk and Exploitability

The CVSS v3.1 score of 4.3 reflects a low severity. The EPSS score is less than 1 %, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to get the victim to visit a malicious webpage with PIP enabled; the exploit is remote and requires no local privilege. Given the low probability and user‑centric impact, the risk is considered low, but mitigation through updating remains recommended.

Generated by OpenCVE AI on April 16, 2026 at 02:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release (at least 146.0.7680.71) to remove the UI spoofing issue.
  • Ensure automatic updates are enabled for Chrome so future patches are applied promptly.
  • Limit Picture‑in‑Picture usage to trusted sites or disable the feature until the issue is fully resolved.

Generated by OpenCVE AI on April 16, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Incorrect security UI in PictureInPicture
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-12T14:33:33.201Z

Reserved: 2026-03-11T05:54:15.911Z

Link: CVE-2026-3942

cve-icon Vulnrichment

Updated: 2026-03-12T14:31:44.036Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:36.883

Modified: 2026-03-13T15:41:48.940

Link: CVE-2026-3942

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3942 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses