Google has issued an urgent security update for Chrome after uncovering a high-severity vulnerability that could allow attackers to bypass important browser security restrictions. While no active exploitation has been confirmed yet, the nature of the flaw makes it a serious concern for both individual users and organisations.

At the centre of the issue is Chrome's WebView component, a core feature widely used by applications to display web content without launching a full browser window.

What Went Wrong Inside Chrome

The vulnerability, tracked as CVE-2026-0628, carries a CVSS 3.1 score of 8.8 out of 10, placing it firmly in the high-risk category. It stems from insufficient policy enforcement within Chrome's WebView tag component.

In simple terms, Chrome failed to consistently apply certain security rules meant to isolate and protect embedded web content. This weakness opens the door for attackers to bypass restrictions that normally prevent untrusted code from accessing privileged browser areas.

Why WebView Is a High-Value Target

WebView plays a critical role in modern applications by allowing developers to embed web pages directly into apps. Because it operates in a semi-privileged environment, any lapse in enforcement can have wide-ranging consequences.

If exploited, this vulnerability could allow a malicious Chrome extension to inject scripts or HTML into protected pages, access sensitive data, or manipulate web content in ways users would not expect. Over time, this could also enable deeper escalation within Chrome's internal workflows.

How an Attack Could Happen

While this flaw cannot be exploited silently, it still poses a meaningful risk. An attacker would typically rely on social engineering tactics to convince a user to install a specially crafted Chrome extension. This could happen through deceptive websites, misleading prompts, or tricking users into granting excessive permissions.

Once installed, the malicious extension could exploit the policy gap to run arbitrary scripts in elevated contexts. Potential impacts include unauthorized script injection, data theft or manipulation, web content spoofing, and further compromise of browser-based processes.

Affected Chrome Versions

Google has confirmed that the vulnerability affects specific Chrome releases across all major desktop platforms. Impacted versions include Chrome 143.0.7499.192 on Windows and macOS, as well as 143.0.7499.191 on Linux systems. Users running these versions remain exposed until they apply the latest security update.

Patches Are Available, But Action Is Required

Google has already released patched versions of Chrome through the stable channel. Updated builds include version 143.0.7499.193 for Windows and macOS, and 143.0.7499.192 for Linux systems. To reduce the risk of attackers exploiting the flaw, Google has temporarily limited public access to detailed technical information about the vulnerability until the majority of users have updated their browsers.

What Users and Organisations Should Do Now

For individual users, the solution is straightforward. Updating Chrome to the latest version immediately closes the security gap. This can be done by navigating to Settings, then Help, and selecting About Google Chrome, where the browser will automatically check for updates.

For organisations, especially those running Chrome in enterprise environments, patch deployment should be treated as a priority. Delays in updating increase the risk of targeted attacks once technical details become more widely known.

Final Thoughts

Although no real-world attacks have been reported so far, vulnerabilities like this highlight how browser components can become high-impact attack surfaces. WebView's widespread use makes it particularly attractive to threat actors, especially when combined with social engineering.

Staying updated remains one of the simplest and most effective defences. In this case, timely patching is the key difference between being protected and being exposed.