In the first week of January 2026, Google released Chrome version 143.0.7499.192 (and .193 on some platforms), marking the first major security update of the year. While most Chrome updates patch multiple issues, this release stood out because it addressed only one vulnerability — but a particularly interesting and potentially dangerous one: CVE-2026-0628.
Classified as High severity by the Chromium security team, this flaw lives in one of the more exotic corners of the browser: the <webview> tag.
What is the <webview> Tag Anyway?
The <webview> tag is a special Chromium component that allows developers to embed a full web browsing context inside another web page or application. Think of it as a browser window inside a browser window.
It's most commonly used in two scenarios:
- Chrome Extensions — many powerful extensions (especially developer tools, note-taking apps, media players, or custom dashboards) use <webview> to display external websites, authentication flows, or rich content without leaving the extension popup/background page.
- Electron-based desktop applications — apps like VS Code, Slack (older versions), Discord, Figma, and hundreds of others are built on Electron, which under the hood uses Chromium's <webview> (or closely related mechanisms) for embedded web content.
Because <webview> essentially runs a separate renderer process with its own origin and security context, Chromium applies very strict policy enforcement rules to prevent it from doing dangerous things — such as accessing privileged pages, stealing cookies from other contexts, injecting code into chrome:// pages, or bypassing the extension's own Content Security Policy (CSP).
… until CVE-2026-0628 came along.
The Vulnerability: When Policies Are Not Enforced Strongly Enough
According to the official description:
"Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension." (Chromium security severity: High)
A specially crafted malicious Chrome extension could create a <webview> element that breaks the normal security boundaries. It could load and inject arbitrary HTML/scripts into pages that should be completely protected — most worryingly, privileged internal pages (chrome://, extension background pages with elevated privileges, or other high-trust contexts).
The attack flow typically looked like this:
- Attacker publishes (or socially engineers users into sideloading) a malicious extension
- User installs the extension (the classic social engineering requirement)
- Extension creates a specially crafted <webview>
- Due to missing/incorrect policy checks → the <webview> manages to inject code into a privileged context
- Attacker now runs JavaScript with much higher privileges than a normal extension should ever have
This could potentially lead to:
- Stealing sensitive data from other extensions
- Modifying chrome:// pages (passwords, settings, flags…)
- Bypassing extension CSP / Content Security Policy
- Persistent malicious behavior inside the browser itself
Fortunately, no in-the-wild exploitation has been publicly reported at the time of writing (mid-January 2026). Still, the existence of at least three public proof-of-concept repositories on GitHub makes this vulnerability more concerning than the average "theoretical" high-severity bug.
Who Is Most at Risk?
| Group | Risk Level | Reason |
|---|---|---|
| Regular Chrome users | Low | Requires installing malicious extension |
| Power users / extension collectors | Medium | More likely to install experimental/sideloaded extensions |
| Enterprise environments | Medium-High | Corporate extension sideloading policies sometimes more permissive |
| Electron app developers/users | High | Many Electron apps embed WebView-like components and may lag in updating underlying Chromium |
| Extension developers | Very High | Need to understand whether their own usage of <webview> was vulnerable |
How to Protect Yourself (January 2026 Edition)
- Update immediately → Chrome → Help → About Google Chrome Target version: 143.0.7499.192 or newer (Same fix applies to Chromium-based browsers once they ingest the patch — Edge, Brave, Vivaldi, Opera, etc.)
- Review your extensions
chrome://extensions/
- Remove anything you don't 100% trust
- Be extremely cautious with extensions that request broad "Read and change all your data on all websites" permissions
- Enterprise / MDM admins
- Check embedded Chromium versions in Electron apps
- Prioritize updates for internet-facing machines
- Consider restricting extension installation to the allow-list only
- Developers using <webview>
- Re-test your extension/app after updating to Chrome 143+
- Consider whether you really need <webview> (many modern use-cases can be replaced with <iframe> + postMessage)
Final Thoughts
CVE-2026-0628 is a classic reminder that even in 2026, after decades of browser security hardening, the interplay between extensions, embedded webviews, and privileged contexts remains one of the hardest surfaces to defend perfectly.
The good news? Google reacted quickly, released a fix in the first week of the year, and — most importantly — required user interaction (malicious extension installation) to exploit the flaw.
Still… in a world where sophisticated phishing campaigns regularly trick users into installing fake browser extensions, "requires user interaction" doesn't feel as comforting as it used to.
Stay updated, stay suspicious of shiny new extensions, and keep that Chrome version number current.
Safe browsing in 2026! 🔒