CVE-2026-0628 in Chrome
Summary
by MITRE • 01/07/2026
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/12/2026
This vulnerability represents a critical security flaw in Google Chrome's WebView implementation that stems from inadequate policy enforcement mechanisms. The issue specifically affects Chrome versions prior to 143.0.7499.192 and manifests through a dangerous privilege escalation vector that allows malicious extensions to compromise privileged pages. The vulnerability operates through a sophisticated attack chain where an attacker must first convince a user to install a malicious extension, which then leverages the WebView tag's insufficient access controls to inject arbitrary scripts or HTML content into sensitive privileged contexts.
The technical flaw resides in the WebView tag's handling of cross-origin resource sharing and privilege boundaries within the Chrome extension ecosystem. When a malicious extension is installed and executed, it can exploit the WebView component to bypass normal security restrictions that should prevent untrusted content from executing in privileged contexts. This represents a failure in Chrome's security model where the WebView tag does not properly enforce the same security policies that apply to regular browser navigation, creating a dangerous attack surface. The vulnerability is classified under CWE-693 as "Protection Mechanism Failure" and aligns with ATT&CK technique T1176 for "Browser Extensions") and T1059 for "Command and Scripting Interpreter" as it enables arbitrary code execution through script injection.
The operational impact of this vulnerability is severe as it allows attackers to gain unauthorized access to sensitive browser functionality and user data. Once successfully exploited, the malicious extension can inject content into privileged pages that might contain sensitive user information, authentication tokens, or access administrative functions. This creates a persistent threat vector that can remain active as long as the malicious extension remains installed, potentially allowing for ongoing data exfiltration, session hijacking, or further exploitation of the victim's browser environment. The high severity classification reflects the potential for widespread compromise across Chrome users who may unknowingly install malicious extensions.
Mitigation strategies should focus on immediate patching to Chrome version 143.0.7499.192 or later, which contains the necessary security fixes for the WebView policy enforcement. Organizations should implement strict extension installation policies, regularly audit installed extensions, and educate users about the risks of installing third-party extensions from untrusted sources. Browser administrators should consider implementing additional security measures such as extension whitelisting, regular security scanning of installed extensions, and monitoring for suspicious extension behavior. The vulnerability also highlights the importance of maintaining current security practices and adhering to the principle of least privilege in browser extension management, as recommended by the NIST Cybersecurity Framework and ISO 27001 standards for information security management.