Google Releases Urgent Patch for High-Risk Chrome WebView Vulnerability (CVE-2026-0628)
Google Patches High-Severity Chrome Flaw That Could Allow Attackers to Bypass Security Policies
Related Entities
Organizations
Products & Tech
CVE Identifiers
MITRE ATT&CK Techniques
Full Report
Executive Summary
Google has released an emergency security update for its Chrome browser to fix a high-severity vulnerability, CVE-2026-0628. The flaw exists in the WebView component and is caused by "insufficient policy enforcement." This could allow a malicious browser extension to bypass critical security restrictions designed to protect privileged browser pages. Successful exploitation could enable an attacker to steal data, hijack user sessions, or perform other malicious actions. The vulnerability affects Chrome on all major desktop platforms (Windows, macOS, and Linux). Google has not observed any active exploitation but strongly recommends all users update their browsers to version 143.0.7499.192/.193 or later to mitigate the risk.
Vulnerability Details
- CVE ID:
CVE-2026-0628 - Severity: High
- Component: WebView
- Description: The vulnerability is categorized as "Insufficient policy enforcement in WebView." The WebView component is a critical part of Chrome and Android that allows applications to render web content. A flaw in its policy enforcement means that security rules that are supposed to isolate content and prevent unauthorized actions can be circumvented.
- Attack Vector: The most likely attack scenario involves social engineering a user into installing a malicious browser extension. Once installed, this extension could leverage
CVE-2026-0628to inject malicious HTML or JavaScript into a privileged context, such as a settings page or another extension's page, which are normally sandboxed and protected.
Exploitation Status: As of the announcement, Google has found no evidence that this vulnerability is being exploited in the wild.
Affected Systems
- Google Chrome: Versions prior to 143.0.7499.192/.193 for Windows, macOS, and Linux.
- Downstream Browsers: Other Chromium-based browsers (e.g., Microsoft Edge, Brave, Opera) are also likely affected and will require updates from their respective vendors.
Impact Assessment
- Security Bypass: The core impact is the bypass of the browser's security model, which is designed to keep web content and extensions isolated from each other and from sensitive parts of the browser.
- Data Theft: An attacker could inject scripts to steal cookies, session tokens, or information entered into forms.
- Session Hijacking: By stealing session cookies, an attacker could potentially take over a user's logged-in sessions for various websites.
- Further Compromise: The ability to execute code in a privileged context could potentially be chained with other vulnerabilities to achieve a more significant system compromise.
Cyber Observables for Detection
Since this vulnerability requires a malicious extension, detection would focus on the delivery and behavior of such extensions.
Detection Methods
- Endpoint Detection and Response (EDR): EDR solutions can monitor for suspicious process behavior originating from the Chrome browser or its extension processes. This could include unexpected file access or network connections.
- Browser Extension Auditing: In an enterprise environment, use browser management tools to maintain an allowlist of approved browser extensions and block users from installing unvetted ones. This is a form of D3FEND Executable Allowlisting (D3-EAL).
- Version Scanning: Use asset management or vulnerability scanning tools to identify all instances of outdated and vulnerable Chrome versions within the organization.
Remediation Steps
- Update Google Chrome: The only remediation is to ensure all instances of Google Chrome are updated to version 143.0.7499.192/.193 or later. Chrome's auto-update feature will handle this for most users, but it can be forced by navigating to
chrome://settings/help. - Update Other Chromium Browsers: Users of other Chromium-based browsers should check for and apply updates from their respective vendors.
- Audit Browser Extensions: Users should review their installed browser extensions (
chrome://extensions/) and remove any that are unfamiliar, untrusted, or no longer needed. This reduces the overall attack surface. - Enterprise Patch Management: System administrators should use their patch management systems to push the updated Chrome version to all managed endpoints promptly. This is a direct application of D3FEND Software Update (D3-SU).
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Update Google Chrome and other Chromium-based browsers to the latest version to remediate the vulnerability.
Mapped D3FEND Techniques:
Limit Software Installation
In enterprise environments, restrict users from installing unauthorized browser extensions by using an allowlist policy.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The immediate and most critical action is to ensure all instances of Google Chrome are updated across the user base. For individual users, this typically happens automatically, but they can force an update by going to 'Help' > 'About Google Chrome'. For enterprises, this vulnerability underscores the need for a centralized and aggressive patch management program for third-party applications, especially web browsers. System administrators should use tools like Microsoft Endpoint Manager (Intune), Jamf, or other configuration management platforms to push the update to all managed devices within 24-48 hours. This rapid deployment cycle is essential for browser vulnerabilities, as the time between disclosure and exploit development can be very short.
Since this attack requires a malicious extension, enterprises can proactively mitigate this and similar threats by implementing browser extension allowlisting. Using Google Workspace policies or other browser management tools, administrators should create a curated list of approved, business-justified extensions. All other extensions should be blocked by default ('*'). This prevents users from being tricked into installing a malicious extension that could exploit CVE-2026-0628 or future vulnerabilities. This approach significantly reduces the browser's attack surface and shifts the security model from reactive (detecting bad extensions) to proactive (only allowing known good ones).
Timeline of Events
The vulnerability was responsibly disclosed to Google by researcher Gal Weizman.
Google releases the security update for Chrome to patch CVE-2026-0628.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.