CVE-2026-0628

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 143.0.7499.192

Description Insufficient policy enforcement in the WebView tag allows a remote attacker to inject scripts or HTML into privileged pages via a crafted Chrome extension. This issue can be exploited if a user is convinced to install a malicious extension. Specifically, the flaw allows extensions to intercept traffic and inject JavaScript into the Gemini AI side panel, which operates in a highly privileged context. This leads to privilege escalation, enabling the attacker to silently activate the webcam and microphone, capture screenshots, read local files, and inject fake messages into the Gemini interface.

Recommendations Update Google Chrome to version 143.0.7499.192 or later. Restrict extension installation policies via enterprise policies or user education to prevent untrusted extensions from being added.