Details have emerged about a critical security vulnerability in Google Chrome, potentially enabling attackers to escalate privileges and access local files. This flaw, identified as CVE-2026-0628 with a CVSS score of 8.8, has been fixed by Google in January 2026, affecting Chrome versions up to 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux.
Vulnerability in the WebView Tag
The vulnerability stemmed from inadequate policy enforcement in Chrome’s WebView tag, as noted by the National Institute of Standards and Technology (NIST). Attackers could exploit this weakness by persuading users to install malicious extensions, allowing them to inject scripts or HTML into privileged pages.
Researcher Gal Weizman from Palo Alto Networks Unit 42 discovered and reported the flaw in late November 2025. This issue allowed extensions with basic permissions to control Chrome’s Gemini Live panel, introduced in September 2025.
Potential Risks and Exploits
The exploitation of this vulnerability could enable attackers to gain unauthorized access to a user’s camera and microphone, capture screenshots, and access local files without consent. This highlights a new threat vector as AI and agentic capabilities become integrated into web browsers, potentially enabling such abuses.
AI assistants in browsers require privileged access to perform complex tasks, posing risks if attackers embed hidden prompts in malicious web pages. Users could be tricked into accessing these pages, leading to data theft or unauthorized code execution.
Broader Implications for Browser Security
The inclusion of AI features in browsers revives traditional security risks, such as cross-site scripting and privilege escalation. Extensions operating under the declarativeNetRequest API could potentially exploit this flaw by injecting JavaScript into the Gemini panel, enabling unauthorized actions.
Weizman emphasized that while extensions can influence websites, influencing built-in browser components poses a significant security threat. This distinction underscores the necessity for robust security measures as browsers evolve to incorporate advanced functionalities.
In summary, this security flaw in Chrome underlines the importance of rigorous cybersecurity practices and continuous monitoring as browsers integrate more sophisticated technologies.
