top of page
perceptive_background_267k.jpg

New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel

Published:

2 maart 2026 om 17:08:00

Alert date:

2 maart 2026 om 18:02:45

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Zero-Day Vulnerabilities, Emerging Technologies

A high-severity security flaw in Google Chrome (CVE-2026-0628) allowed malicious extensions to escalate privileges and access local files through insufficient policy enforcement in the WebView tag. The vulnerability specifically affected the Gemini Panel component and had a CVSS score of 8.8. Google patched the vulnerability in early January 2026. The flaw could have been exploited by attackers to gain unauthorized access to system files, representing a significant security risk for Chrome users with malicious extensions installed.

Technical details

CVE-2026-0628 is an insufficient policy enforcement vulnerability in WebView tag that allows malicious Chrome extensions with basic declarativeNetRequest API permissions to inject JavaScript code into the privileged Gemini Live panel. The vulnerability enables privilege escalation by allowing extensions to bypass Chrome's security model and execute arbitrary code in the gemini.google.com/app context. Attackers can exploit this by creating malicious extensions that inject scripts into the AI panel component which has elevated privileges for camera/microphone access, screenshot capabilities, and file system access.

Mitigation steps:

Update Google Chrome to version 143.0.7499.192/.193 for Windows/Mac or 143.0.7499.192 for Linux. Review installed Chrome extensions and remove any suspicious or unnecessary extensions. Monitor extension permissions and avoid installing extensions from untrusted sources.

Affected products:

Google Chrome prior to version 143.0.7499.192/.193 (Windows/Mac)
Google Chrome prior to version 143.0.7499.192 (Linux)
Chrome Gemini Live panel integration

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-0628
https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
https://support.google.com/chrome/answer/16363185?hl=en
https://blog.google/products-and-platforms/products/chrome/new-ai-features-for-chrome/
https://unit42.paloaltonetworks.com/indirect-prompt-injection-poisons-ai-longterm-memory/
https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest

Related CVE's:

Related threat actors:

IOC's:

gemini.google.com/app

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page