~/home/news/chrome-gemini-panel-flaw-cve-2026-03-05
newsThursday, March 5, 20268 min read👁 6 views

Chrome’s Gemini Panel Flaw (CVE-2026-0628) Enables Malicious Extensions to Escalate Privileges

A high-severity vulnerability (CVE-2026-0628) in Chrome’s Gemini Live side-panel allowed malicious extensions to bypass policy checks, inject code into privileged pages and gain local file system, camera, and microphone access. Google patched the issue in Chrome 143.0.7499.192/.193 (Windows/macOS) and 143.0.7499.192 (Linux) in early January 2026.

ChromeVulnerabilityCVE-2026-0628Gemini Panel

Overview/Introduction

Google Chrome introduced the Gemini Live side-panel in September 2025, exposing an AI-driven assistant powered by the Gemini model. While the feature promises real-time summarisation, translation, and task automation, it also opened a new attack surface. Security researchers from Palo Alto Networks’ Unit 42 disclosed a critical vulnerability-tracked as CVE-2026-0628-that lets a malicious Chrome extension hijack the Gemini panel, bypass extension policy checks, and execute arbitrary code with elevated privileges.

Technical Details

CVE Identifier: CVE-2026-0628
CVSS v3.1 Score: 8.8 (High)

The flaw resides in the WebView tag used by the Gemini panel. The panel is launched via the internal URL chrome://glic, which loads the web app gemini.google.com inside a WebView component. Chrome’s extension policy enforces strict CSP and permission checks for extensions, but the WebView implementation failed to propagate those checks to the embedded page.

By crafting a Chrome extension with only the baseline "permissions": ["storage"], an attacker could:

  • Inject JavaScript or HTML into the privileged Gemini page via the WebView’s src attribute.
  • Escalate the extension’s privileges, effectively bypassing the extension_manifest.json policy validation.
  • Gain direct access to the local file system using the chrome.fileSystem API, which is normally restricted to extensions with explicit file-system permissions.
  • Activate the user’s camera and microphone, capture screenshots of any visited site, and read/write arbitrary files in the user’s profile directory.

The attack does not require any user interaction beyond the initial installation of the malicious extension-a step that can be socially engineered through phishing emails, malicious ads, or compromised extension marketplaces.

The vulnerability was internally codenamed “Glic Jack” (Glic = Gemini Live Container, Jack = hijack). The exploit chain leverages the fact that the Gemini panel runs with a higher-privileged context than a typical extension, effectively acting as a privilege-escalation bridge.

Impact Analysis

All Chrome versions prior to 143.0.7499.192 (Windows/macOS) and 143.0.7499.192 (Linux) are vulnerable. This includes:

  • Desktop users on Windows 10/11, macOS Ventura and later, and major Linux distributions (Ubuntu, Fedora, Debian, etc.).
  • Enterprise environments that deploy Chrome via standard policies but allow users to install extensions from the Chrome Web Store.
  • Any organization that has enabled the Gemini panel for its workforce, especially those leveraging AI-assisted browsing for productivity.

The impact ranges from data exfiltration (e.g., copying confidential documents) to espionage (e.g., activating microphones and cameras to capture ambient conversations). Because the exploit runs in the context of the user’s Chrome session, it can also harvest cookies, session tokens, and perform intra-site request forgery (CSRF) attacks.

Timeline of Events

  • 23 Nov 2025: Palo Alto Networks Unit 42 researcher Gal Weizman discovers the WebView policy bypass and reports it to Google’s Vulnerability Reward Program (VRP).
  • Early Jan 2026: Google develops and releases the patch in Chrome 143.0.7499.192 (Linux) and 143.0.7499.192/.193 (Windows/macOS).
  • 02 Mar 2026: The vulnerability is publicly disclosed by The Hacker News and covered by multiple security outlets.
  • 05 Mar 2026: RootShell.blog publishes this detailed analysis.

Mitigation/Recommendations

Immediate steps for users and administrators:

  • Update Chrome: Ensure all machines run Chrome 143.0.7499.192 or later. Enterprise deployments should enforce auto-update via policy.
  • Audit Extensions: Review installed extensions, especially those with only minimal permissions. Remove any that are unnecessary or sourced from untrusted developers.
  • Restrict Gemini Panel: For environments where AI assistance is not required, disable the Gemini side-panel via the ExtensionInstallForcelist or SidePanelEnabled policy.
  • Enforce Extension Policies: Use Chrome Enterprise policies to block installation of extensions from outside the corporate whitelist and to require explicit approval for any extension requesting file-system, camera, or microphone access.
  • Monitor WebView Usage: Deploy endpoint detection and response (EDR) solutions that can flag anomalous WebView activity, especially attempts to load chrome://glic from a non-trusted context.
  • Educate End-Users: Conduct phishing awareness training that highlights the risk of installing seemingly benign extensions.

Real-World Impact

In practice, the vulnerability could be weaponised in several scenarios:

  • Corporate Espionage: An attacker could distribute a malicious extension via a compromised internal software portal, granting them silent access to confidential files and the ability to record meetings.
  • Supply-Chain Attack: If a popular extension were compromised, millions of users could be infected simultaneously, turning the Gemini panel into a mass-scale data-stealing conduit.
  • Targeted APT Operations: Advanced Persistent Threat groups could use the technique to bypass network segmentation, as the malicious code runs within the browser’s trusted context and can communicate directly with internal services.

Given Chrome’s market share (>65% on desktop), the attack surface is substantial. Organizations that have already integrated AI-driven browsing tools should reassess the risk-to-benefit ratio, especially in regulated sectors where data leakage carries heavy penalties.

Expert Opinion

From a senior analyst’s perspective, CVE-2026-0628 is a wake-up call about the security implications of embedding AI agents directly into the browser UI. The Gemini panel represents a new class of “privileged assistant” that must interact with both web content and local resources. When the sandboxing boundary between the assistant and the extension ecosystem is weak, attackers gain a powerful foothold.

Google’s quick patch demonstrates a mature vulnerability-response process, but the underlying design decision-to expose a WebView-based AI panel without strict policy enforcement-should be revisited. Future browser-based AI features need to adopt a zero-trust model: every request to local resources should be explicitly authorized, and any third-party code (including extensions) must be isolated from the AI’s privileged context.

In the broader industry, we can expect a surge of similar attacks as vendors race to embed generative AI into browsers, IDEs, and operating systems. Security teams must therefore expand their threat models to include AI-assistant abuse, enforce strict extension whitelisting, and monitor side-panel activity as part of normal security hygiene.