CVE-2026-0628

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 143.0.7499.192 Chromium versions prior to 143.0.7499.192 Android System WebView versions prior to 143.0.7499.192 Microsoft Edge (Chromium-based) versions prior to 143.0.7499.192 chromedriver versions prior to 143.0.7499.192-1.1 Debian chromium versions 143.0.7499.192-1deb12u1 and 143.0.7499.192-1deb13u1

Description A high-severity vulnerability exists in Google Chrome and Chromium due to insufficient policy enforcement within the WebView tag. This flaw allows a malicious browser extension, even with basic permissions, to inject scripts or HTML into privileged pages via a crafted Chrome Extension. Exploitation can lead to privilege escalation, enabling access to sensitive resources such as the camera, microphone, screenshots, and local files. The vulnerability, tracked as CVE-2026-0628, impacts Chrome’s Gemini AI panel and WebView-based applications. The issue arises from the way Chrome handles declarativeNetRequest for the Gemini WebView, creating a new attack surface. The vulnerability does not require user interaction and can be exploited by simply installing a malicious extension.

Recommendations Update Google Chrome to version 143.0.7499.192 or later. Update Chromium to version 143.0.7499.192 or later. Update Android System WebView to version 143.0.7499.192 or later. Update Microsoft Edge (Chromium-based) to version 143.0.7499.192 or later. Update chromedriver to version 143.0.7499.192-1.1 or later. Restrict extension installation policies to prevent untrusted extensions. Review installed extensions and remove any that are unrecognized or recently requested new permissions.