New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel  Ravie Lakshmanan  Mar 02, 2026 Vulnerability / Artificial Intelligence Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system. The vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), has been described as a case of insufficient policy enforcement in the WebView tag. It was patched by Google in early January 2026 in version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux. "Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome extension," according to a description on the NIST National Vulnerability Database (NVD). Palo Alto Networks Unit 42 researcher Gal Weizman, who discovered and reported the flaw on November 23, 2025, said the issue could have permitted malicious extensions with basic permissions to seize control of the new Gemini Live panel in Chrome. The panel can be launched by clicking the Gemini icon located at the top of the browser window. Google added Gemini integration to Chrome in September 2025. This attack could have been abused by an attacker to achieve privilege escalation, enabling them to access the victim's camera and microphone without their permission, take screenshots of any website, and access local files. The findings highlight an emerging attack vector arising from baking artificial intelligence (AI) and agentic capabilities directly into web browsers to facilitate real-time content summarization, translation, and automated task execution, as the same capabilities could be abused to perform privileged actions. The problem, at its core, is the need for granting these AI agents privileged access to the browsing environment to perform multi-step operations, thereby becoming a double-edged sword when an attacker embeds hidden prompts in a malicious web page, and a victim user is tricked into accessing it via social engineering or some other means. The prompt could instruct the AI assistant to perform actions that would otherwise be blocked by the browser, leading to data exfiltration or code execution. Even worse, the web page could manipulate the agent to store the instructions in memory , causing it to persist across sessions. Besides the expanded attack surface, Unit 42 said the integration of an AI side panel in agentic browsers brings back classic browser security risks. "By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses," Weizman said. "This could include vulnerabilities related to cross-site scripting (XSS), privilege escalation, and side-channel attacks that can be exploited by less-privileged websites or browser extensions." While browser extensions operate based on a defined set of permissions, successful exploitation of CVE-2026-0628 undermines the browser security model and allows an attacker to run arbitrary code at "gemini.google[.]com/app" via the browser panel and gain access to sensitive data. "An extension with access to a basic permission set through the declarativeNetRequest API allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel," Weizman added. "When the Gemini app is loaded within this new panel component, Chrome hooks it with access to powerful capabilities." It's worth noting that the declarativeNetRequest API allows extensions to intercept and change properties of HTTPS web requests and responses. It's used by ad-blocking extensions to stop issuing requests to load ads on web pages. In other words, all it takes for an attacker is to trick an unsuspecting user into installing a specially crafted extension, which could then inject arbitrary JavaScript code into the Gemini side panel to interact with the file system, take screenshots, access the camera, turn on the microphone – all features necessary for the AI assistant to perform its tasks. "This difference in what type of component loads the Gemini app is the line between by-design behavior and a security flaw," Unit 42 said. An extension influencing a website is expected. However, an extension influencing a component that is baked into the browser is a serious security risk." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  artificial intelligence , Browser Extension , cybersecurity , Gemini , Google Chrome , privilege escalation , Vulnerability Trending News Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware and More ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit and 15+ Stories Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem How Exposed Endpoints Increase Risk Across LLM Infrastructure Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research