Chrome under the magnifying glass: how CVE-2026-0628 allowed extensions to spy files and activate the camera with Gemini Live

In early January 2026 Google corrected a vulnerability that, according to security researchers, could allow malicious extensions to raise their privileges and access local files and user devices. The problem, recorded as CVE-2026-0628 and valued with a high CVSS score (8.8), it affected the way Chrome handled the WebView component of the new integrated IA panel, known as Gemini Live. The update with the correction was published in versions 143.0.7499.192 / .193 for Windows and Mac and in 143.0.7499.192 for Linux; the notice is available on the official Chrome update blog: Chrome Releases - Stable Channel Update (January 2026).

The public record of vulnerability in the NIST database explains that the root of the failure was a insufficient implementation of policies on the WebView label, which made it easier for a manipulated extension to inject HTML or scripts into a page with privileges. You can check the specification at the National Vulnerability Database here: CVE-2026-0628 in NVD.

The detection was the work of Gal Weizman, a researcher at Unit 42 of Palo Alto Networks, who reported the judgement in November 2025. In his analysis, Weizman shows how an extension with apparently basic permissions - for example, enabled by the API declarativeNetRequest, used by many ad blockers - could influence Gemini's panel and run code in a context that would normally be more reliable. The Unit 42 report details the technique and associated risks: Gemini Live in Chrome Hijacking.

What did this mean in practice? By exploiting the gap, a manipulated extension could force the browser to load the Gemini application from the Google domain with the open panel and, from there, access privileged resources. Among the potentially achievable actions by an attacker were the activation of the camera and microphone without explicit approval, the capture of open page screens and the reading of local files. In other words, capabilities designed for the assistant to perform complex tasks could become means of abuse.

Beyond the technical incident, the case puts on the table a broader dilemma: by integrating artificial intelligence agents directly into the browser to offer real-time summaries, translation or execution of automated actions, developers give these functions deeper access to the navigation environment. Such access necessary for utility can become a vulnerability when an attacker gets the user to run or load malicious content containing hidden instructions for the IA agent.

An additional risk identified by researchers is the possibility of persistent "propps" injection. That is, a malicious website can not only give a timely order to the agent, but also try to keep instructions in his long-term memory - a technique that Unit 42 explores in an analysis of how indirect prompt injection attacks can poison the memory of a model -: Indirect prompt injection poisons AI long-term memory. If an agent retains such instructions, exposure could be repeated in subsequent sessions.

The risks that reappear with the addition of an IA panel are not in essence new: the classic browser security problems - XSS, privilege climbing and side channels - reappear when a new high privilege component is mounted within the same process or context as the browser. Weizman and his team warn that placing IA functionalities in a privileged context can introduce logical failures and weak implementations that a website or a limited-permissions extension could take advantage of.

For users, the lesson is clear: keeping the browser updated is the first and most effective defense. Google already released the corresponding patch and stable versions include correction, so reviewing and applying Chrome updates should be a priority. In addition, it is appropriate to review the installed extensions and to limit them to those from reliable sources with permits in accordance with their function.

Extensions developers and browser managers also have work ahead of them. It is necessary to reevaluate the privilege models, to tighten the isolation policies between components and to review the APIs that allow extensions to intercept and modify web traffic - the same capacity that makes it useful to many ad blockers can be used maliciously if there are no proper controls -. Google posted information on Gemini's integration into Chrome when it presented these functions; for context and details on how the IA was integrated into the browser, see: New IA features for Chrome - Google Blog and the help page on the Gemini Live panel: Chrome Support: Gemini Live.

This incident should be read as a reminder that the convenience and power of the IA integrated into daily applications is accompanied by an extended attack surface. The capabilities that allow the assistant to perform complex action chains are precisely those that, in the wrong hands, allow to carry out data exfiltration or code execution. Security must evolve to the rate of functionality: both in the browser architecture and in the risk assessment involving components with privileges.

If you want to deepen how extensions work and what permissions exist, and know the best practices for their safe development, the documentation for Chrome developers offers guides and recommendations: Security for extensions in Chrome. In short, the combination of timely updates, prudence when installing extensions and a conscious security design by suppliers is what will reduce the likelihood that problems like CVE-2026-0628 will become large-scale incidents.