CVE-2026-0628: Chrome Zero-Day Actively Exploited in the Wild

Aegiron 9 mins0

High-Severity WebView Authorization Flaw Enables Privileged Script Injection via Malicious Extensions

Vulnerability Overview

CVE ID: CVE-2026-0628
Product: Google Chrome (Desktop)
Affected Component: Chrome WebView (<webview> tag handling in extensions)
CVSS v3.1 Score: 8.8
Severity: High
Attack Vector: Network
User Interaction Required: Yes
Privileges Required: None
Exploit Status: Exploited in the wild
Exploit Availability: Public proof-of-concept (educational / research use only)
Patch Status: Fixed by Google
Official Patch Link:
https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html

Executive Summary

CVE-2026-0628 is a Chrome zero-day vulnerability that was actively exploited before a fix was available. The flaw exists in how Chrome enforces security restrictions for the WebView tag, a feature mainly used by browser extensions and embedded web content.

Due to missing or insufficient authorization checks, a malicious Chrome extension could inject and execute HTML or JavaScript code inside privileged browser pages. These pages normally have higher trust levels and access to sensitive browser functions.

Once exploited, this vulnerability allows attackers to bypass Chrome’s security boundaries, potentially leading to credential theft, session hijacking, unauthorized actions on behalf of the user, and further browser-level compromise.

Google has confirmed active exploitation and released an emergency patch. Systems running unpatched versions of Chrome should be considered at high risk.

Technical Details

Root Cause

The vulnerability is caused by improper policy enforcement when Chrome processes <webview> elements created or controlled by extensions. Chrome failed to consistently validate whether an extension was authorized to interact with or inject content into protected browser contexts.

What Went Wrong

  • The WebView tag is intended to isolate untrusted content.
  • In affected versions, certain validation checks were missing or bypassable.
  • This allowed attacker-controlled extensions to:
    • Load crafted pages
    • Inject scripts
    • Execute code in contexts that should be restricted

This is a classic authorization bypass scenario.

Exploitation Scenario

  1. Initial Access
    • The victim installs a malicious or trojanized Chrome extension.
    • This can happen via social engineering, fake productivity tools, or side-loaded extensions.
  2. Triggering the Vulnerability
    • The extension creates or manipulates a <webview> element.
    • Crafted HTML or JavaScript is injected into a privileged Chrome page.
  3. Privilege Escalation
    • The injected code executes with elevated trust.
    • Chrome treats the code as if it belongs to a protected internal page.
  4. Impact
    • Steal authentication cookies or tokens
    • Read or manipulate sensitive page content
    • Perform actions as the logged-in user
    • Establish persistence via extension updates
    • Exfiltrate data to attacker-controlled servers

Impact Assessment

Confidentiality

  • High risk of credential, cookie, and session token theft
  • Possible access to sensitive internal web pages

Integrity

  • Attackers can alter browser content
  • Unauthorized actions performed on trusted websites

Availability

  • Browser instability or forced crashes possible
  • Extension-based persistence can disrupt normal usage

Exploit and PoC Status

  • Proof-of-Concept code exists and demonstrates:
    • Abuse of WebView tag
    • Script injection into privileged contexts
  • PoC code is publicly accessible and should be treated as fully weaponizable
  • PoCs are typically released for educational and defensive research, but they significantly reduce the barrier to exploitation

⚠️ Important: Availability of PoC means threat actors can easily adapt it for real-world attacks.

MITRE Mapping

CWE (Weakness Classification)

  • CWE-862: Missing Authorization

MITRE ATT&CK Techniques

  • T1176.001 – Browser Extensions
  • T1204 – User Execution
  • T1059 – Command and Script Execution
  • T1555 – Credentials from Web Browsers

Detection Strategy

Because exploitation relies on malicious extensions, detection should focus on extension behavior, browser activity, and endpoint telemetry.

What to Look For

Extension-Related Indicators

  • New or recently modified Chrome extensions
  • Extensions installed outside official channels
  • Unexpected changes to manifest.json
  • Extensions requesting excessive permissions

Browser Behavior

  • Access to internal Chrome pages without user action
  • WebView elements loading unexpected or remote content
  • JavaScript execution tied to privileged browser contexts

Endpoint Indicators

  • File creation or modification in Chrome extension directories
  • Chrome spawning unusual child processes
  • Browser writing executable or script files unexpectedly

Network Indicators

  • Chrome or extension processes communicating with unknown domains
  • Immediate outbound connections after extension installation
  • Encrypted exfiltration shortly after browser startup

Detection Rules

File Monitoring

Monitor for creation or modification of:

  • manifest.json
  • Background scripts within Chrome extension directories

Endpoint Detection

  • Alert when Chrome writes new executable or script files
  • Detect Chrome initiating network connections not associated with browsing

Network Monitoring

  • Flag POST requests from browser processes to unknown hosts
  • Monitor DNS queries from Chrome extensions

Log Sources to Enable

  • Endpoint Detection & Response (EDR)
  • Sysmon or equivalent file/process monitoring
  • Browser enterprise management logs
  • Proxy and firewall logs
  • DNS query logs

Mitigation and Remediation

Immediate Actions

  1. Update Google Chrome Immediately
  2. Audit Installed Extensions
    • Remove unknown or unused extensions
    • Investigate recently installed extensions
  3. Restrict Extension Installation
    • Disable developer mode
    • Block side-loaded extensions
    • Enforce extension allow-lists in enterprise environments
  4. Credential Hygiene
    • Rotate credentials if suspicious browser activity is detected
    • Invalidate sessions if compromise is suspected

Hardening Recommendations

  • Enforce browser auto-updates
  • Use Chrome enterprise policies
  • Limit extension permissions
  • Educate users on extension risks
  • Monitor browser behavior as a first-class security signal

Final Takeaway

CVE-2026-0628 represents a serious browser security failure with confirmed real-world exploitation. Since browsers sit at the center of modern workflows, compromise at this level can directly lead to account takeover, data loss, and lateral movement.

Organizations and individuals should treat this vulnerability as urgent and ensure all Chrome installations are patched without delay.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.