Google Chrome's CVE-2026-0628 vulnerability allowed malicious extensions to escalate privileges via the Gemini Live panel, enabling attackers to access cameras, microphones, and local files through insufficient WebView policy enforcement.
Cybersecurity researchers have disclosed a critical vulnerability in Google Chrome that could have allowed malicious extensions to escalate privileges and gain unauthorized access to sensitive system resources through the browser's new Gemini Live panel. The flaw, tracked as CVE-2026-0628 with a CVSS score of 8.8, highlights the security risks emerging from integrating AI capabilities directly into web browsers.
The Vulnerability: Insufficient WebView Policy Enforcement
The security issue stemmed from insufficient policy enforcement in Chrome's WebView tag, which allowed attackers who convinced users to install malicious extensions to inject scripts or HTML into privileged pages. Google patched the vulnerability in early January 2026 with Chrome version 143.0.7499.192/.193 for Windows and Mac, and 143.0.7499.192 for Linux.
Palo Alto Networks Unit 42 researcher Gal Weizman discovered and reported the flaw on November 23, 2025. The vulnerability could have permitted malicious extensions with basic permissions to seize control of Chrome's new Gemini Live panel, which was introduced in September 2025 and can be launched by clicking the Gemini icon at the top of the browser window.
How the Attack Worked
The attack vector exploited the privileged access granted to AI agents within the browser environment. When the Gemini app loads within the new panel component, Chrome hooks it with access to powerful capabilities including file system access, screenshot functionality, and camera/microphone permissions.
"An extension with access to a basic permission set through the declarativeNetRequest API allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel," Weizman explained. The declarativeNetRequest API, commonly used by ad-blocking extensions to intercept and modify web requests, became the entry point for privilege escalation.
Once a specially crafted extension was installed, it could inject arbitrary JavaScript code into the Gemini side panel. This would allow attackers to interact with the file system, take screenshots of any website, access the camera, and turn on the microphone – all features necessary for the AI assistant to perform its tasks but dangerous when abused.
The Broader Security Implications
The vulnerability highlights a growing concern as browsers increasingly integrate AI and agentic capabilities. While these features enable real-time content summarization, translation, and automated task execution, they also create new attack surfaces when malicious actors can embed hidden prompts in web pages.
"By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses," Weizman noted. "This could include vulnerabilities related to cross-site scripting (XSS), privilege escalation, and side-channel attacks that can be exploited by less-privileged websites or browser extensions."
The Double-Edged Sword of AI Integration
The core problem lies in the need to grant AI agents privileged access to perform multi-step operations. This creates a security paradox: the same capabilities that make AI assistants useful can be weaponized when an attacker tricks a victim into accessing a malicious web page.
The prompt could instruct the AI assistant to perform actions that would otherwise be blocked by the browser, leading to data exfiltration or code execution. Even more concerning, the web page could manipulate the agent to store instructions in memory, causing it to persist across sessions.
Attack Chain and Social Engineering
All it takes for an attacker is to trick an unsuspecting user into installing a specially crafted extension. Once installed, the extension can influence the Gemini panel in ways that bypass normal browser security restrictions.
"An extension influencing a website is expected. However, an extension influencing a component that is baked into the browser is a serious security risk," Unit 42 researchers emphasized. This distinction between by-design behavior and a security flaw represents a critical consideration as browsers evolve to include more integrated AI features.
Mitigation and Protection
Google's prompt patching of CVE-2026-0628 demonstrates the importance of keeping browsers updated to the latest versions. Users should ensure they're running Chrome 143.0.7499.192 or later to protect against this vulnerability.
Organizations should also review their browser extension policies, as the attack relies on users installing malicious extensions. Implementing extension whitelisting and educating users about the risks of installing unknown extensions can provide additional layers of protection.
The discovery of CVE-2026-0628 serves as a reminder that as browsers become more sophisticated with AI integration, the attack surface expands correspondingly. Security researchers and browser developers must work together to ensure that the convenience of AI-powered features doesn't come at the cost of fundamental browser security principles.
Related Security News:
- Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning
- Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems
- Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist's Phone in Police Custody
- AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries
For organizations concerned about browser-based threats, implementing comprehensive endpoint protection and maintaining strict browser security policies remains essential as the threat landscape continues to evolve with AI integration.
Comments
Please log in or register to join the discussion