CVE-2026-2318
📋 TL;DR
This vulnerability allows attackers to perform UI spoofing in Chrome's Picture-in-Picture feature. By convincing users to perform specific UI gestures on a malicious webpage, attackers can display fake UI elements that appear legitimate. All Chrome users on affected versions are vulnerable.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Attackers could display fake login prompts, security warnings, or payment interfaces that trick users into entering sensitive credentials or authorizing fraudulent transactions.
Likely Case
Phishing attacks where users are tricked into entering credentials on fake login forms that appear to be legitimate websites.
If Mitigated
Users who verify URLs and are cautious with unexpected UI prompts would be less likely to fall victim, though the spoofing could still appear convincing.
🎯 Exploit Status
Exploitation requires user interaction (specific UI gestures) and a crafted HTML page. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 145.0.7632.45 and later
Vendor Advisory: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html
Restart Required: No
Instructions:
1. Open Chrome and click the three-dot menu. 2. Go to Help > About Google Chrome. 3. Chrome will automatically check for updates and install version 145.0.7632.45 or later. 4. Relaunch Chrome if prompted.
🔧 Temporary Workarounds
Disable Picture-in-Picture
allTemporarily disable the Picture-in-Picture feature to prevent exploitation
chrome://flags/#enable-picture-in-picture
Set to Disabled
🧯 If You Can't Patch
- Use browser extensions that block malicious websites and warn about suspicious UI elements
- Educate users to never interact with unexpected Picture-in-Picture windows and to verify website authenticity
🔍 How to Verify
Check if Vulnerable:
Check Chrome version via chrome://settings/help or by typing 'chrome://version/' in address barCheck Version:
google-chrome --versionVerify Fix Applied:
Confirm Chrome version is 145.0.7632.45 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual Picture-in-Picture API calls in browser logs
- Multiple failed authentication attempts following PiP window appearances
Network Indicators:
- Traffic to known malicious domains that trigger PiP functionality
- Unusual iframe loading patterns
SIEM Query:
source="chrome_logs" AND "picture-in-picture" AND ("gesture" OR "spoof")