CVE-2026-0628: Chrome “Gemini Live” Side Panel Injection Bug

CVE-2026-0628 is a high-severity Google Chrome and Chromium vulnerability caused by insufficient policy enforcement in the <webview> tag. In practical terms, it can let a malicious browser extension inject script or HTML into a privileged browser UI context, which researchers tie specifically to Chrome’s Gemini Live side panel.

This matters now because the precondition (a user installing an extension) is realistic in both consumer and managed enterprise environments, and at least one public PoC is indexed.

This blog breaks down what CVE-2026-0628 is, which versions are affected, what we know about exploitation, and what defenders should do next.

What Is CVE-2026-0628 in Chrome?

CVE-2026-0628 is a Chrome/Chromium security bug that stems from insufficient policy enforcement in the <webview> tag. The risk is not a generic web XSS in a normal page. The concern is that a malicious extension can potentially drive content and script injection into a more privileged browser surface.

Details of CVE-2026-0628 (SOCRadar Vulnerability Intelligence)

Unit 42’s recent analysis frames this as a potential Gemini issue because the impact is clearest when gemini.google.com/app is rendered inside the Gemini Live side panel, where the browser treats it differently than when it runs in a standard tab.

Which Chrome Versions Are Affected by CVE-2026-0628?

From the published baselines, the key cutoff is straightforward:

Vulnerable: Google Chrome versions prior to 143.0.7499.192

Patched (Stable desktop):
Windows/macOS: 143.0.7499.192/.193
Linux: 143.0.7499.192

Patched (Android):Chrome 143.0.7499.192
Patched (Extended Stable desktop):142.0.7444.265 (Windows/macOS)

For defenders, the practical rule is to treat anything below 143.0.7499.192 as requiring immediate update unless you are intentionally on Extended Stable, in which case you still need to confirm you are on the fixed Extended Stable build.

How Could CVE-2026-0628 Be Exploited in Practice?

The exploitation model described by researchers is extension-led. That is an important constraint, but it is also a common real-world scenario because:

Users can install extensions directly in unmanaged environments.
In enterprises, a compromised user account or weak extension controls can lead to risky extension installs.

At a useful level, the chain looks like this:

A user installs a malicious extension.
The extension uses capabilities such as declarativeNetRequest to intercept or alter content destined for the Gemini web app.
Before the fix, that manipulation could carry over even when Gemini is rendered inside the Gemini panel, enabling JavaScript/HTML injection into that privileged panel context.

Once an attacker executes code in that panel context, Unit 42 reports the attacker could potentially abuse panel-level capabilities, including local file access, screenshots, camera/mic access, and phishing through a trusted browser UI surface.

Is CVE-2026-0628 Being Exploited in the Wild?

At the time of writing, there is no authoritative confirmation in the provided sources that CVE-2026-0628 is actively exploited at scale in the wild:

Google’s Chrome Releases entry lists the fix but does not include the typical “exploited in the wild” language.
NVD does not indicate known exploitation.
The issue is not flagged in CISA KEV.

That said, defenders should not treat “no confirmed exploitation” as “low risk”. A realistic prerequisite (extension install) plus a privileged UI target plus PoC visibility tends to shorten the time between disclosure and opportunistic abuse.

Is There a Public Proof-of-Concept (PoC) for CVE-2026-0628?

Yes, at least one public PoC repository is indexed via VulnCheck’s exploit database (XDB), referencing a GitHub repo named as a CVE-2026-0628 PoC.

Even when exploitation is not confirmed, PoC availability typically increases copy/paste attacker interest, especially for bugs that can be demonstrated reliably in common configurations.

Turn Vulnerability Noise into Actionable Intelligence

Not every CVE poses the same risk. SOCRadar’s Cyber Threat Intelligence module helps security teams identify which vulnerabilities are actively exploited, discussed by threat actors, or linked to ransomware campaigns.

By correlating real-world exploitation data, PoC availability, Dark Web chatter, and KEV listings, the platform enables teams to prioritize remediation based on actual threat activity, not just CVSS scores.

SOCRadar’s Vulnerability Intelligence

What Should Defenders Do Now to Mitigate CVE-2026-0628?

Patch immediately

Upgrade Chrome and Chromium-based browsers to a fixed build:
Desktop Stable: 143.0.7499.192+ (macOS may show .193)
Android: 143.0.7499.192
Extended Stable: 142.0.7444.265+ (Windows/macOS)

Reduce extension risk

Because the exploit path requires an extension, harden extension governance:

Enforce extension allowlisting and block unknown publishers.
Review and continuously monitor extensions with powerful permissions, especially those that can modify request/response behavior.

Optional exposure reduction for Gemini

If your environment does not need Gemini in Chrome, consider temporarily disabling or hiding Gemini as a risk-reduction measure. This can reduce the likelihood of the specific panel-hijack scenario, but it should not replace patching.