Chrome Patches High-Severity WebView Policy Bypass

Google released Chrome 143.0.7499.192 on January 6 to address CVE-2026-0628, a high-severity vulnerability in the WebView component that could allow attackers to bypass security policies and inject malicious code into privileged browser pages. The fix marks Chrome's first security update of 2026.

The vulnerability affects Windows, macOS, Linux, and Android versions of Chrome. Users should update immediately—navigating to Settings > Help > About Google Chrome triggers an automatic check and installation.

What Is CVE-2026-0628?

The flaw stems from insufficient policy enforcement in Chrome's WebView tag. WebView is the component browsers and applications use to render web content within other contexts—like displaying a webpage inside an app or an extension.

Security researcher Gal Weizman discovered that attackers could craft malicious Chrome extensions that exploit this weakness. When installed, such extensions could inject scripts or HTML into pages that should be protected from modification—including privileged Chrome internal pages.

Normally, Chrome enforces strict boundaries between extensions and sensitive pages. CVE-2026-0628 broke those boundaries. An attacker who convinced a user to install a malicious extension could access data or execute actions in contexts that should be off-limits.

Why WebView Matters

WebView isn't just a browser component. It's the foundation for web content rendering across thousands of Android applications. When you view a webpage inside an app—a link in your email client, embedded content in a social media app, or a login page in a third-party application—you're often looking at WebView.

A vulnerability in WebView doesn't just affect Chrome. It potentially affects every application that relies on WebView for in-app browsing. That's a significant attack surface.

For Chrome specifically, the vulnerability meant extensions could interact with pages they shouldn't access. Chrome extensions already have broad capabilities by design, but policy enforcement is supposed to prevent them from tampering with system pages, other extensions' interfaces, or security-critical components.

Attack Requirements

Exploitation required convincing a user to install a malicious extension. This limits the attack surface somewhat—random websites can't exploit CVE-2026-0628 directly. The attacker needs their code running in the browser first.

But malicious extensions aren't rare. They appear in the Chrome Web Store regularly, sometimes disguised as legitimate utilities. We've covered browser extension attacks affecting millions of users. Once installed, the extension operates with whatever permissions the user granted, plus whatever additional access vulnerabilities like this one provide.

The requirement for extension installation also means enterprise environments with extension allowlists face lower risk than individuals who install extensions freely.

Patching Details

Google addressed the vulnerability in the following versions:

Platform	Fixed Version
Windows	143.0.7499.192 or 143.0.7499.193
macOS	143.0.7499.192 or 143.0.7499.193
Linux	143.0.7499.192
Android	143.0.7499.193

Chrome typically updates automatically, but updates only apply after browser restart. Users who keep Chrome running indefinitely may be running vulnerable versions without realizing it.

To check your version: Chrome menu > Help > About Google Chrome. The page displays your current version and triggers an update check. Relaunch after updating to ensure the new version loads.

Broader Implications

Chrome dominates browser market share, making any Chrome vulnerability worth attention. But the WebView connection extends this vulnerability's relevance to the Android ecosystem more broadly.

Google releases WebView as a separately updatable component on Android. Most Android devices receive WebView updates through Google Play independent of system updates. This means the fix can reach users faster than a typical Android security patch, but it also means users need to ensure WebView updates are enabled.

Organizations managing Android device fleets should verify WebView is set to update automatically. Devices with Google Play Services disabled or restricted may require manual intervention.

Recommendations

1. Update Chrome immediately - Check your version and restart if an update is available
2. Audit installed extensions - Remove any extensions you don't actively use or don't recognize
3. Review extension permissions - Extensions requesting broad permissions deserve scrutiny
4. Enable automatic updates - Both Chrome and WebView should update without manual intervention
5. Consider extension allowlisting - Enterprise environments can restrict which extensions users install

The vulnerability has been patched. The risk now is users who delay updates or organizations that haven't pushed the fix to managed browsers. Chrome vulnerabilities get exploited quickly once public—the window between patch release and widespread updating is when attackers have the best opportunity.