Google has released an urgent security update for its Chrome browser addressing a high-risk zero-day vulnerability that could potentially affect billions of users worldwide, reports The WP Times with reference to Chrome Releases. The flaw has been fixed in Chrome versions 143.0.7499.192/193 for Windows and macOS and version 143.0.7499.192 for Linux. According to Google, there is currently no evidence that the vulnerability has been exploited in active attacks.

The security issue was disclosed in a post on the Chrome Releases blog, where Google representative Harry Souders confirmed that the vulnerability had been reported in November by external security researcher Gal Weizman. Google did not provide extensive technical details, citing security considerations.

What vulnerability was fixed

The flaw is tracked as CVE-2026-0628 and has been classified as a high-severity security issue. It is located in Chrome’s WebView component and is caused by insufficient enforcement of security policies.

According to the official Common Vulnerabilities and Exposures (CVE) entry, the issue allowed certain security rules to be applied inconsistently, creating conditions under which untrusted content could be processed improperly.

Key characteristics of the vulnerability include:

  • Classification: High risk
  • Identifier: CVE-2026-0628
  • Affected component: WebView
  • Root cause: Insufficient policy enforcement
  • Reported by: Gal Weizman (external researcher)
  • Reported to Google: November 2025

How the vulnerability could be exploited

The CVE description explains that attackers could exploit the weakness by persuading users to install a malicious Chrome extension. Once installed, the extension could be used to inject scripts or HTML into privileged Chrome pages.

The official CVE program states that:

  • The vulnerability existed in Chrome versions prior to 143.0.7499.192
  • A crafted Chrome extension could bypass policy checks
  • Malicious scripts or HTML could be injected into privileged pages
  • Exploitation required user interaction, specifically installing a malicious extension

This type of attack could potentially enable unauthorized code execution within protected browser contexts.

Chrome versions affected and patched

Google confirmed that the vulnerability has been resolved in the following releases:

  • Chrome 143.0.7499.192 for Linux
  • Chrome 143.0.7499.192 for Windows
  • Chrome 143.0.7499.193 for Windows
  • Chrome 143.0.7499.192 for macOS
  • Chrome 143.0.7499.193 for macOS

Users running earlier versions are advised to update immediately.

How users can update Chrome

Chrome typically installs updates automatically once a new version becomes available. However, users can manually verify and trigger the update process by following these steps:

  • Open the Chrome menu
  • Select Help
  • Click About Google Chrome
  • Allow Chrome to check for and install updates
  • Restart the browser if prompted

Cybersecurity analyst and journalist Davey Winder has urged users not to delay the update process.

Expert warning on delayed updates

Davey Winder, a veteran cybersecurity writer and analyst, emphasized the importance of installing the patch as soon as possible due to the potential consequences of exploitation.

He noted that:

  • Chrome has more than three billion users worldwide
  • Unpatched vulnerabilities significantly increase attack risk
  • Users should update immediately rather than waiting

Winder has reported on at least seven zero-day vulnerabilities affecting Chrome throughout 2025 alone.

Context: previous Chrome zero-day vulnerabilities

Google has addressed multiple critical security flaws in Chrome over the past year. Among the most notable cases:

  • June 2025: A vulnerability in Chrome’s V8 JavaScript engine allowing out-of-bounds memory read and write operations, enabling malicious code to access restricted memory areas
  • March 2025: A zero-day vulnerability in the Mojo inter-process communication (IPC) system, which had already been exploited in the wild by advanced threat actors targeting Russian organizations before a patch was released

According to Winder, while the total number of standard vulnerabilities patched by Google last year is difficult to track, all confirmed issues — including CVE-2026-0628 — were ultimately fixed through security updates.

Read about the life of Westminster and Pimlico district, London and the world. 24/7 news with fresh and useful updates on culture, business, technology and city life: Google AI and Character.AI settle landmark US lawsuit after chatbot linked to teen’s suicide.