How Malicious Chrome Extensions Exploit Gemini AI to Steal Local Files (CVE‑2026‑0628)

Overview

In January 2026 Google released Chrome 143.0.7499.192/193 to patch a high‑severity (CVSS 8.8) zero‑day identified as CVE‑2026‑0628. The vulnerability was discovered by Palo Alto Networks Unit 42 researcher Gal Weizman on 23 Nov 2025 and stems from insufficient policy enforcement in the WebView component.

Technical Root Cause

The WebView tag, which renders web content for extensions, normally obeys same‑origin and CSP restrictions. When the Gemini AI side‑panel ( gemini.google.com/app) was integrated, the component obtained privileged access beyond ordinary extensions, exposing a policy enforcement gap.

AI Integration Side‑Effect

Gemini AI was added to Chrome in September 2025, exposing a “double‑edged sword”: the AI panel runs in a high‑privilege context, enabling new functionality but also creating an attack surface. Unit 42 notes that placing the AI component in a privileged context can unintentionally introduce logical flaws that attackers can exploit via hidden prompts.

Attack Chain

The full chain reconstructed from the disclosure is:

Induce Installation – attackers lure victims to install a malicious extension disguised as a benign tool.

Obtain Basic Permissions – the extension requests only standard browsing permissions and runs silently.

Inject Payload – leveraging the WebView policy flaw, the extension injects a crafted script or HTML into the Gemini Panel’s WebView.

Privileged Execution – the payload runs at gemini.google.com/app, gaining the same system‑level access as the Gemini AI panel.

Malicious Operations – the attacker can then:

Access camera and microphone for covert recording.

Take arbitrary screenshots of any webpage.

Read local files, including documents, password stores, and key files.

Escalate privileges to break out of the browser sandbox.

Indirect Prompt Injection Threat

Unit 42 also highlights that attackers can store malicious commands in the AI’s “long‑term memory” via indirect prompt injection, allowing the payload to persist across sessions even after the initial malicious page is closed.

Impact Scope

All Chrome versions prior to 143.0.7499.192 on Windows, macOS, and Linux are vulnerable. The fix is included in Chrome 143.0.7499.192 (Windows) and 143.0.7499.193 (Linux) and 143.0.7499.192 (macOS).

Risk Assessment

High‑risk groups include enterprise users with many extensions, users who frequently click unknown links, those performing sensitive operations (online banking, corporate logins), and anyone who has enabled the Gemini Panel. Medium‑risk groups are users who strictly manage extension sources or use Chrome without a Google account.

Remediation Recommendations

Immediate Actions

Upgrade Chrome to version ≥ 143.0.7499.192. Verify via chrome://version.

Audit installed extensions at chrome://extensions/ and remove unknown or overly permissive ones, especially those requesting “read and change data on all sites”.

Reset sensitive permissions via chrome://settings/content for retained extensions.

Long‑Term Defenses

Enterprise administrators should enforce extension whitelists through Chrome Enterprise Policies.

Deploy endpoint detection and response (EDR) tools to monitor anomalous browser behavior.

Conduct risk assessments for built‑in AI features like Gemini and define usage policies.

Individual users should install extensions only from the Chrome Web Store, use Chrome’s “Safety Check” ( chrome://settings/safetyCheck), and consider incognito or separate profiles for high‑sensitivity tasks.

Conclusion

The CVE‑2026‑0628 disclosure demonstrates that deep AI integration can undermine traditional extension permission models and same‑origin policies, creating a new class of browser‑level threats. Prompt patching, careful extension management, and ongoing monitoring of AI‑related attack vectors are essential for maintaining web security.

References

Palo Alto Networks Unit 42 Research: “Gemini Live in Chrome: Hijacking High‑Privilege AI Panels”.

NIST National Vulnerability Database: CVE‑2026‑0628.

Chrome Releases Blog: Stable Channel Update for Desktop (January 2026).

The Hacker News: “New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel”.