{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3927", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-11T05:54:11.778Z", "datePublished": "2026-03-11T22:04:09.852Z", "dateUpdated": "2026-03-13T12:50:13.977Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.71", "status": "affected", "lessThan": "146.0.7680.71", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-11T22:04:09.852Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/474948986"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T12:48:55.659713Z", "id": "CVE-2026-3927", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T12:50:13.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T12:48:55.659713Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T12:50:08.312Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "146.0.7680.71", "lessThan": "146.0.7680.71", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/474948986"}], "descriptions": [{"lang": "en", "value": "Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-11T22:04:09.852Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3927", "state": "PUBLISHED", "dateUpdated": "2026-03-13T12:50:13.977Z", "dateReserved": "2026-03-11T05:54:11.778Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-03-11T22:04:09.852Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9898EF8-B616-4762-BD38-FFD790EE7517", "versionEndExcluding": "146.0.7680.71", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}, {"lang": "es", "value": "Una interfaz de usuario de seguridad incorrecta en PictureInPicture en Google Chrome anterior a la versi\u00f3n 146.0.7680.71 permiti\u00f3 a un atacante remoto realizar suplantaci\u00f3n de UI a trav\u00e9s de una p\u00e1gina HTML manipulada. (Gravedad de seguridad de Chromium: Media)"}], "id": "CVE-2026-3927", "lastModified": "2026-03-13T20:15:11.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T22:16:35.357", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/474948986"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Incorrect security UI in PictureInPicture", "id": "2446857", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446857"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["An incorrect security ui flaw was found in the PictureInPicture component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=474948986"], "name": "CVE-2026-3927", "public_date": "2026-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3927\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3927\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html\nhttps://issues.chromium.org/issues/474948986"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[146.0.7680.71,146.0.7680.71)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T09:18:24.816974+00:00", "value": {"mitigation_remediation": ["Apply the official Chrome update to version 146.0.7680.71 or later, which resolves the UI integrity flaw identified as CWE-451.", "Configure Chrome policies or settings to disable or restrict Picture-in-Picture for untrusted web content, mitigating the UI spoofing defect (CWE-451).", "Continuously monitor Chrome security releases and apply any subsequent fixes that address CWE-451 or similar UI vulnerabilities."], "summary": {"action": "Patch Now", "impact": "UI spoofing via malicious Picture-in-Picture overlays"}, "threat_synthesis": {"affected_systems": "All operating systems supported by Google Chrome are affected, as the flaw exists in the browser itself. The security issue applies to Chrome versions prior to 146.0.7680.71 and is present on macOS, Linux, and Windows platforms. Updating to the specified version or newer removes the incorrect UI behavior.", "description_and_impact": "The vulnerability is an incorrect security interface in the Picture-in-Picture feature of Google Chrome that lets a remote attacker use a crafted web page to display UI elements that appear legitimate. This graphic spoofing can deceive users into interacting with deceptive content or trusting a page that it is not. The impact is confined to the user interface and does not grant code execution or direct access to system data.", "risk_and_exploitability": "With a CVSS score of 4.3 and an EPSS of less than 1%, the risk is moderate and exploitation unlikely to be widespread. The flaw is not listed in the CISA KEV catalog, indicating no known active exploitation. The attack vector is inferred to be a normal web browsing session where a malicious site serves a specially crafted page that forces the browser to open Picture-in-Picture with a counterfeit security UI. Successful exploitation requires the target user to interact with the overlay, leading to possible user confusion or phishing."}}}}, "created": "2026-03-12T09:55:24.836900+00:00", "updated": "2026-04-16T09:30:06.039212+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}