CYBERSECURITY researchers disclosed a now-patched Chrome flaw, CVE-2026-0628 (CVSS 8.8), described as insufficient policy enforcement in the WebView tag that could let attackers leverage a malicious extension to inject scripts into a privileged page. The patch arrived in early January 2026 for Windows and macOS as Chrome version 143.0.7499.192/.193 and for Linux as 143.0.7499.192.
According to NIST National Vulnerability Database, an attacker who convinced a user to install a malicious extension could exploit this to inject code into a privileged page and trigger privilege escalation. Palo Alto Networks Unit 42, which reported the flaw after discovery on 23 November 2025 by Gal Weizman, warned that extensions with basic permissions could take control of the Gemini Live panel, potentially enabling access to the victim’s camera, microphone, and local files, and even allow screenshots.
Google had added Gemini integration to Chrome in September 2025, and the vulnerability highlights risks from embedding AI-enabled components in the browser that could be abused by social engineering or other means.