Chrome WebView Flaw Lets Attackers Bypass Security Controls

Google released Chrome versions 143.0.7499.192 and 143.0.7499.193 on January 6 to address a high-severity vulnerability in the browser's WebView component. CVE-2026-0628 allows attackers to bypass security policies designed to block malicious script execution and unauthorized data access.

The fix marks Chrome's first security update of 2026. Given WebView's role in rendering web content across Chrome, Android applications, and thousands of third-party apps, Google estimates the vulnerability affects roughly 3 billion users.

What Is CVE-2026-0628?

The vulnerability stems from insufficient policy enforcement in the WebView tag. WebView allows applications to display web content within their native interfaces without launching a separate browser—it's the invisible browser engine behind in-app browsers, embedded content, and countless Android applications.

An attacker who convinced a user to install a malicious browser extension could exploit CVE-2026-0628 to inject scripts or HTML into privileged pages. That breaks the fundamental isolation WebView is supposed to provide between web content and sensitive application contexts.

Security researcher Gal Weizman reported the vulnerability to Google on November 23, 2025, giving the company six weeks to develop and test a patch before public disclosure.

Why This Matters

WebView vulnerabilities hit different than typical browser bugs. When Chrome has a flaw, users can update Chrome. When WebView has a flaw, every application that embeds web content inherits that flaw—banking apps, social media clients, email applications, and anything else that displays web pages inline.

The policy enforcement issue specifically threatens:

• Banking and payment apps that display web-based transaction pages
• Corporate MDM solutions that render dashboards in-app
• Social media clients showing embedded content
• Email applications with HTML rendering

Android's fragmented update ecosystem compounds the problem. While Chrome updates roll out quickly, individual apps may bundle older WebView versions or depend on system-level components that device manufacturers control.

Patched Versions

The fix is available in:

Platform	Fixed Version
Windows	143.0.7499.192 or 143.0.7499.193
macOS	143.0.7499.192 or 143.0.7499.193
Linux	143.0.7499.192
Android	143.0.7499.193

Chrome typically auto-updates, but you can force an immediate check: Settings > Help > About Google Chrome. The browser will download and apply any available updates, then prompt for a restart.

Android users should verify both their Chrome version and check for system WebView updates in the Play Store. Some devices separate Chrome and Android System WebView as distinct updatable components.

What Attackers Could Do

Before the patch, a malicious extension could:

1. Inject arbitrary scripts into pages that should be protected
2. Access sensitive data displayed in WebView contexts
3. Modify page content to facilitate phishing or credential theft
4. Bypass content security policies that applications rely on

The requirement for a malicious extension reduces the attack surface—users must install something first. But malicious extensions regularly slip past review processes. Google removed hundreds of compromised extensions from the Chrome Web Store in 2025 alone, including the DarkSpectre campaign that affected 8 million users.

The Bigger Picture

This vulnerability reflects a recurring theme in modern security: abstraction layers create hidden dependencies. Application developers don't think about WebView security—they assume the underlying platform handles it. When that assumption breaks, the blast radius extends far beyond the original vulnerable component.

Google's response timeline was reasonable. Six weeks from report to patch, with no evidence of active exploitation, falls within industry norms. The challenge now is getting that patch deployed across billions of devices and applications, some of which will never receive updates.

Organizations running mobile device management should verify their managed devices received the update. Security teams should audit any internally developed applications that embed WebView to ensure they're pulling the patched system component rather than bundling outdated versions.