Summary of CVE-2026-0628 Vulnerability in Chrome
CVE-2026-0628, with a CVSS score of 8.8, exposed a significant security flaw in Chrome, permitting rogue extensions to hijack the Gemini panel’s camera, microphone, and file access. The root cause stemmed from Chrome developers failing to include the chrome://glic WebView in the blocklist meant to prevent extensions from intercepting privileged browser components. Identified by Gal Weizman from Palo Alto Networks in November 2025, the vulnerability posed a risk as extensions with basic permissions could exploit elevated privileges, enabling unauthorized actions like accessing user files and injecting malicious scripts. Google swiftly patched this issue in Chrome version 143.0.7499.192 in January 2026. The incident highlights the increasing security risks associated with integrating AI capabilities into browsers, underscoring the need for rigorous security protocols with every new AI feature added. Users are urged to update their browsers urgently to mitigate these vulnerabilities.
