Cybersecurity researchers disclosed a now-patched Chrome vulnerability (CVE-2026-0628) in the WebView-based Gemini Live side panel that could let malicious extensions escalate privileges and access local files, camera, and microphone. The bug, dubbed Glic Jack, was reported by Palo Alto Networks Unit 42 and fixed by Google in early January 2026. #GlicJack #CVE20260628
Keypoints
- CVE-2026-0628 (Glic Jack) was an insufficient policy enforcement flaw in Chromeβs WebView-based Gemini Live side panel that could enable privilege escalation.
- Palo Alto Networks Unit 42 researcher Gal Weizman reported the issue on November 23, 2025, and Google patched it in early January 2026 in Chrome 143.0.7499.192/.193.
- A malicious extension using the declarativeNetRequest API could inject JavaScript into the chrome://glic Gemini panel and execute arbitrary code at gemini.google.com/app.
- Successful exploitation could grant access to camera, microphone, screenshots, and local files, and enable persistent hidden prompts that abuse AI agent behavior.
- The flaw underscores the security risks of embedding agentic AI panels in browsers, which expand the attack surface and can reintroduce classic browser vulnerabilities.
Read More: https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html