Cyber Resilience

CVE-2026-0628

High

Published: 07 January 2026

Published
07 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0654 92.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0628 is a high-severity Missing Authorization (CWE-862) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0628 is an insufficient policy enforcement vulnerability (CWE-862) in the WebView tag within Google Chrome prior to version 143.0.7499.192. This flaw allows attackers to bypass intended security restrictions in the browser's extension handling, as rated High severity by Chromium with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability by convincing a targeted user to install a malicious Chrome extension. Once installed, the crafted extension enables the injection of scripts or HTML into a privileged page, potentially compromising the confidentiality, integrity, and availability of the affected browser context.

Google addressed this issue in the stable channel update for desktop Chrome, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/463155954. Security practitioners should prioritize updating affected systems to version 143.0.7499.192 or later to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security…

more

severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence
Adversaries may abuse internet browser extensions to establish persistent access to victim systems.
Why these techniques?

Vulnerability directly enables bypass of extension policy enforcement, allowing malicious browser extensions to inject into privileged contexts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2650Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome
CVE-2026-8533Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2026-9923Same product: Google Chrome
CVE-2026-8540Same product: Google Chrome
CVE-2026-10011Same product: Google Chrome
CVE-2025-0612Same product: Google Chrome

Affected Assets

google
chrome
≤ 143.0.7499.192

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-0628 by requiring timely flaw remediation through patching Google Chrome to version 143.0.7499.192 or later.

prevent

Prevents exploitation by prohibiting user installation of unapproved software, including the malicious Chrome extension required for the attack.

preventdetect

Provides malicious code protection mechanisms that can detect and eradicate harmful extensions attempting to inject scripts into privileged WebView pages.

References