CVE-2026-0628: Chrome Extensions Exploit Gemini Panel for Privilege Escalation

Google Chrome's integration of AI capabilities through the Gemini panel has introduced a critical attack surface that security teams need to address immediately. CVE-2026-0628 (CVSS 8.8) — an insufficient policy enforcement flaw in Chrome's WebView tag — allowed malicious browser extensions to inject scripts into the privileged Gemini Live panel, escalating from a simple extension to full system-level access. What Happened Discovered by Gal Weizman of Palo Alto Networks Unit 42 in November 2025, the vulnerability affects Chrome versions prior to 143.0.7499.192 on Linux and 143.0.7499.193 on Windows/Mac. Google patched it in January 2026, but the implications for browser-based AI security are significant. The core issue: Chrome grants the Gemini panel elevated permissions for multi-step AI operations — camera access, screenshot capabilities, local file reads. Extensions exploiting CVE-2026-0628 could hijack these privileges through script injection into the WebView context. Technical Br

CVE-2026-0628: Chrome Extensions Exploit Gemini Panel for Privilege Escalation

Related Articles

Hands-on with Lenovo's modular laptop: a promising concept (and not too far-fetched)

The two kinds of error

BlipBlox After Dark Review: a Synthesizer for Everybody

Lenovo's new PCs offer a glimpse of the future - and it's modular

Remote Control Is the Last Piece. Anthropic’s Agent Stack Is Now Complete.

Related Articles

News
Hands-on with Lenovo's modular laptop: a promising concept (and not too far-fetched)
ZDNet • 9h ago

News
The two kinds of error
Lobsters • 9h ago

News
BlipBlox After Dark Review: a Synthesizer for Everybody
Wired • 10h ago

News
Lenovo's new PCs offer a glimpse of the future - and it's modular
ZDNet • 10h ago

News
Remote Control Is the Last Piece. Anthropic’s Agent Stack Is Now Complete.
Medium Programming • 11h ago