CVE-2026-13942 Overview
CVE-2026-13942 is a user interface (UI) spoofing vulnerability in the Video Capture component of Google Chrome on ChromeOS. Versions prior to 150.0.7871.47 allow a local attacker to spoof security-relevant UI elements through a crafted HTML page. Google classifies the Chromium security severity as Medium, while the NVD CVSS 3.1 base score is 3.3. Exploitation requires local access and user interaction, and impacts integrity without affecting confidentiality or availability. The underlying weakness is tracked as [CWE-20: Improper Input Validation]. No public proof-of-concept, exploit code, or in-the-wild activity has been reported.
Critical Impact
A local attacker can present misleading Video Capture UI through a crafted HTML page, tricking users into granting camera or microphone access under false pretenses.
Affected Products
- Google Chrome on ChromeOS prior to 150.0.7871.47
- Google ChromeOS builds shipping Chrome versions earlier than 150.0.7871.47
- Chromium-based Video Capture implementations aligned with the affected Chrome branch
Discovery Timeline
- 2026-06-30 - CVE-2026-13942 published to the National Vulnerability Database
- 2026-07-02 - Last updated in the NVD database
- Patch release - Fix delivered in the Chrome Stable Channel Update for Desktop
Technical Details for CVE-2026-13942
Vulnerability Analysis
The defect resides in Chrome's Video Capture subsystem on ChromeOS. An inappropriate implementation permits a crafted HTML page to influence how capture-related UI is presented to the user. Because the UI can be manipulated, the browser fails to give users an accurate view of which origin is requesting camera or microphone access. This category of flaw enables social engineering attacks that convert a benign-looking page interaction into an unintended permission grant. The vulnerability is scoped as local because the attacker must deliver content that the victim renders on the affected device. It requires user interaction and does not enable code execution or memory corruption. Impact is limited to integrity, aligning with the low severity rating.
Root Cause
The root cause is improper input validation ([CWE-20]) in the Video Capture UI logic. Chromium's Video Capture code does not sufficiently constrain how attacker-controlled HTML can influence surrounding browser chrome and permission prompts. As a result, an attacker can construct page content that overlaps, obscures, or mimics trusted UI regions. The Chromium issue tracker entry 513186670 contains the internal discussion and fix references.
Attack Vector
An attacker hosts or delivers a crafted HTML page to a ChromeOS user running Chrome earlier than 150.0.7871.47. When the user visits the page and interacts with Video Capture prompts, the manipulated UI misrepresents the requesting origin or permission scope. If the user approves the prompt, the attacker gains access to camera or microphone streams under a spoofed identity. No authentication is required, but the user must actively engage with the deceptive interface for the attack to succeed.
Detection Methods for CVE-2026-13942
Indicators of Compromise
- Unexpected camera or microphone activation on ChromeOS devices running Chrome versions prior to 150.0.7871.47
- Browser telemetry showing getUserMedia permission grants to unfamiliar or newly visited origins
- HTML pages that render overlays, iframes, or CSS positioning near Video Capture permission prompts
- User reports of permission dialogs whose displayed origin does not match the visible URL bar
Detection Strategies
- Inventory ChromeOS endpoints and flag any device running Chrome earlier than 150.0.7871.47
- Review enterprise Chrome reporting for permission grants to camera and microphone APIs on unmanaged origins
- Hunt in web proxy logs for URLs whose page content requests MediaDevices.getUserMedia shortly after load
Monitoring Recommendations
- Enable Chrome Enterprise reporting and forward browser events to a centralized log platform for review
- Alert on ChromeOS devices that fall behind the current Stable channel version for more than one release cycle
- Track user-reported phishing or UI confusion tickets that reference camera or microphone prompts
How to Mitigate CVE-2026-13942
Immediate Actions Required
- Update ChromeOS devices to a build containing Chrome 150.0.7871.47 or later
- Confirm managed devices are enrolled in the Stable channel and set to auto-update through the admin console
- Communicate to users that they should deny Video Capture prompts on unfamiliar sites until updates are verified
Patch Information
Google addressed CVE-2026-13942 in the ChromeOS Stable channel update that ships Chrome 150.0.7871.47. Administrators should apply the update referenced in the Google Chrome Stable Channel Update announcement. Technical background is available in the Chromium Issue Tracker entry 513186670.
Workarounds
- Restrict camera and microphone permissions site-by-site through ChromeOS user settings until patching is complete
- Deploy the VideoCaptureAllowedUrls and AudioCaptureAllowedUrls enterprise policies to allowlist only trusted origins
- Train users to verify the origin displayed in Video Capture prompts and cancel any prompt that appears inconsistent with the visible page
# Verify installed Chrome version on a ChromeOS device
# From the crosh shell or a terminal:
chrome://version
# Enterprise admins: enforce auto-update and restrict capture origins
# via the Google Admin console (Devices > Chrome > Settings > Users & browsers)
# Relevant policies:
# DeviceAutoUpdateDisabled = false
# VideoCaptureAllowedUrls = ["https://trusted.example.com"]
# AudioCaptureAllowedUrls = ["https://trusted.example.com"]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

