Full Report
Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system. The vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), has been described as a case of insufficient policy enforcement in the WebView tag. It was patched by Google in early January 2026
Analysis Summary
# Vulnerability: Insufficient Policy Enforcement in Google Chrome WebView Leading to Privilege Escalation
## CVE Details
- CVE ID: CVE-2026-0628
- CVSS Score: 8.8 (High)
- CWE: Insufficient Policy Enforcement (Implied)
## Affected Systems
- Products: Google Chrome (Desktop)
- Versions: Prior to 143.0.7499.192 (Windows/Mac) and 143.0.7499.192 (Linux). (The patch was released for versions 143.0.7499.192/.193 on Windows/Mac and 143.0.7499.192 on Linux).
- Configurations: Systems where a malicious browser extension could be installed by the user, specifically targeting the Gemini Panel integration.
## Vulnerability Description
The flaw is described as "insufficient policy enforcement in the WebView tag" within Google Chrome. This vulnerability allowed a successfully installed malicious browser extension (even one with basic permissions, such as those utilizing the `declarativeNetRequest` API) to inject scripts or HTML into a privileged page hosted in the new Gemini Live panel. Since the Gemini panel operates in a high-privilege context, exploitation could grant the extension arbitrary code execution within the context of `gemini.google[.]com/app`, effectively bypassing sandbox restrictions related to that panel.
## Exploitation
- Status: Details disclosed; patched before evidence of widespread exploitation was publicized. Patch availability suggests risk diminishes upon update.
- Complexity: Low (Relies on getting the user to install a malicious extension with basic permissions).
- Attack Vector: Local (Requires installation of a malicious extension).
## Impact
- Confidentiality: High (Potential access to local files, camera, microphone, and sensitive data displayed on websites viewed via the manipulated panel).
- Integrity: High (Ability to execute arbitrary code/scripts within the privileged Gemini context).
- Availability: Low (Primary impact is on user privacy and data integrity, not system uptime).
## Remediation
### Patches
- Google released patches in early January 2026.
- **Fixed Versions:**
- Windows/Mac: Version 143.0.7499.192 and later.
- Linux: Version 143.0.7499.192 and later.
### Workarounds
- No specific workarounds were detailed in the summary, but general mitigation would involve restricting extension installation or disabling the Gemini panel integration if patches cannot be applied immediately.
## Detection
- Indicators of Compromise: Monitoring for unusual script injections or excessive permission utilization by browser extensions within the context of the Gemini panel (`gemini.google[.]com/app`).
- Detection methods and tools: Endpoint detection and response (EDR) or browser security monitoring tools capable of inspecting extension behavior and dynamically analyzing browser context interaction, particularly concerning the `declarativeNetRequest` API interaction with new AI-integrated features.
## References
- Vendor Advisories: [https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html] (Defanged)
- Research Disclosure: [https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/] (Defanged)
- NIST NVD: [https://nvd.nist.gov/vuln/detail/CVE-2026-0628] (Defanged)