What CVE-2026-0628 is
CVE-2026-0628 is the first major security flaw Google patched in Chrome in 2026. It is an insufficient policy enforcement bug in the browser’s WebView component, specifically in the implementation of the <webview> tag. It is rated high severity and, according to the National Vulnerability Database, carries a CVSS score of 8.8.
The root cause is that certain security rules meant to isolate extension content from the browser’s privileged pages are not enforced consistently. By exploiting that gap, a malicious extension with only basic permissions could inject scripts or HTML into privileged contexts that would normally be off limits, bypassing the security boundaries that separate extension content from Chrome’s internal pages.
Who is affected
The flaw affects versions of Google Chrome prior to 143.0.7499.192 on Windows, macOS and Linux. Because Chromium is the foundation of many derived browsers (Edge, Brave, Opera, Vivaldi) and of the WebViews embedded in countless applications —including those on Android— the exposure surface is broad: any scenario that renders web content through the Chromium engine can inherit the vulnerable component until it is updated.
Researcher Gal Weizman, of Palo Alto Networks’ Unit 42 team, discovered and reported the issue on November 23, 2025. According to his analysis, the flaw could have allowed an extension with basic permissions to take control of the new Gemini Live panel embedded in Chrome, illustrating the kind of privilege abuse it enabled.
Severity
The CVSS 8.8 score places this flaw in the high range. Its real-world danger depends on a precondition: the attacker needs the victim to install a malicious extension. That requirement lowers immediate exploitability compared with a no-interaction remote code execution bug, but it does not eliminate the risk: fraudulent or hijacked extensions are a common vector, and a seemingly harmless extension with minimal permissions could widen its reach by abusing this gap. Importantly, according to Google, there was no evidence of active exploitation at the time of the patch.
Mitigation and patch
The fix is to update Chrome to the Stable branch 143.0.7499.192 (or later) on Windows, macOS and Linux. Most desktop installations update automatically, but it is worth forcing a check from Settings → About Chrome and restarting the browser so the patch takes effect. In managed environments and in applications that embed WebView/Chromium, review the engine version and roll out the corresponding update. As an ongoing best practice, audit and limit your installed extensions: install only what you truly need, from trusted sources, review their permissions, and remove the ones you no longer use.
If you manage Chromium-based devices, you may find our Android profile useful, as it is one of the systems that relies most heavily on Chrome’s rendering engine.