Google Patches High-Severity Chrome WebView Flaw CVE-2026-0628 in the Tag Component
Published
Key Takeaways
- Critical Flaw Identified: Google has patched a high-severity vulnerability, tracked as CVE-2026-0628, in the WebView tag component of its Chrome browser.
- Potential Impact: The flaw could allow an attacker to bypass critical security restrictions within applications that use WebView.
- Immediate Mitigation: Users are urged to update to Chrome version 143.0.7499.192/.193 for Windows/Mac or 143.0.7499.192 for Linux.
Google has issued an urgent security update to address a high-severity vulnerability in its Chrome browser. The flaw, identified as CVE-2026-0628, affects the WebView tag component, a critical element that allows applications to render web content within their native interfaces without launching a separate browser.Â
The vulnerability arises from insufficient policy enforcement, creating a security gap that a malicious actor could potentially exploit to bypass established security controls.
Mitigation via Google Chrome Patch
In response to the discovery, Google has rolled out an updated version of Chrome across all desktop platforms. Users should ensure their browsers are updated to version:
- Windows and Mac – 143.0.7499.192/.193
- Linux – 143.0.7499.192.Â
- Android – Chrome 143 (143.0.7499.192) will become available on Google Play over the next few days.
To apply the 2026 Google Chrome patch manually, navigate to Settings > Help > About Google Chrome to trigger an automatic check for and installation of the latest version, then relaunch the browser.Â
The update will be distributed through the Stable channel over the coming days. As per its standard disclosure policy, Google is restricting access to the detailed bug report until a majority of users have applied the patch.Â
Technical Impact of the WebView Vulnerability
The Chrome WebView vulnerability poses a significant risk to applications that rely on it to display external web content. Given WebView's widespread use in mobile and desktop applications, the potential attack surface is extensive.Â
In October, a cyberespionage campaign dubbed Operation ForumTroll targeted organizations in Russia and Belarus with spear-phishing attacks leveraging a zero-day exploit to escape the Google Chrome sandbox and deliver its payload.
Last week, a new flaw in the IoT world exposed pet owners to cybersecurity risks as the Petlibro smart pet feeder exposed private user data and employee details.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular