Cyber Posture

CVE-2026-0628

High

Published: 07 January 2026

Published
07 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0628 is a high-severity Missing Authorization (CWE-862) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Extensions (T1176.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-0628 by requiring timely flaw remediation through patching Google Chrome to version 143.0.7499.192 or later.

CM-11 User-installed Software good match
prevent

Prevents exploitation by prohibiting user installation of unapproved software, including the malicious Chrome extension required for the attack.

SI-3 Malicious Code Protection partial match
preventdetect

Provides malicious code protection mechanisms that can detect and eradicate harmful extensions attempting to inject scripts into privileged WebView pages.

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence
Adversaries may abuse internet browser extensions to establish persistent access to victim systems.
attack.mitre.org →
Why these techniques?

Vulnerability directly enables bypass of extension policy enforcement, allowing malicious browser extensions to inject into privileged contexts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security…

more

severity: High)

Deeper analysisAI

CVE-2026-0628 is an insufficient policy enforcement vulnerability (CWE-862) in the WebView tag within Google Chrome prior to version 143.0.7499.192. This flaw allows attackers to bypass intended security restrictions in the browser's extension handling, as rated High severity by Chromium with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability by convincing a targeted user to install a malicious Chrome extension. Once installed, the crafted extension enables the injection of scripts or HTML into a privileged page, potentially compromising the confidentiality, integrity, and availability of the affected browser context.

Google addressed this issue in the stable channel update for desktop Chrome, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/463155954. Security practitioners should prioritize updating affected systems to version 143.0.7499.192 or later to mitigate the risk.

Details

CWE(s)
CWE-862

Affected Products

google
chrome
≤ 143.0.7499.192

CVEs Like This One

CVE-2025-0762Same product: Google Chrome
CVE-2025-1914Same product: Google Chrome
CVE-2026-6363Same product: Google Chrome
CVE-2025-0612Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2025-0436Same product: Google Chrome
CVE-2025-0437Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome

References