Google has fixed a vulnerability in the new Chrome versions 143.0.7499.192/193 for Windows and macOS and 143.0.7499.192 for Linux. According to the firm, the vulnerability hasn’t yet been exploited for attacks in the wild.
In the Chrome Releases blog post, Google’s representative Harry Souders provides little detail on the fixed vulnerability, which was reported to Google in November by an external researcher, Gal Weizman.
The vulnerability, identified as CVE-2026-0628, is classified as high risk and is located in the WebView component, caused by unspecified rules that aren’t consistently enforced (“insufficient policy enforcement”).
This can mean, for example, that content from an external source is loaded because its origin isn’t checked or checked carefully enough, even though the rules provide for this.
“Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension,” the official Common Vulnerabilities and Exposures CVE program said.
Chrome usually updates itself automatically when a new version is available, but you can manually trigger the update check using the menu item Help > About Google Chrome.
That’s precisely what Davey Winder, a veteran cybersecurity writer and analyst, urges Chrome users to do.
“Given the severity of the consequences of being unpatched, should an attacker actually exploit this vulnerability, I would advise Google Chrome users, all three billion of them, not to wait but to update now. Today, if at all possible, “ said Winder.
Across 2025, Winder reported on no less than seven zero-day security vulnerabilities affecting users of the world’s most popular web browser, with more than three billion users.
Chrome usually updates itself automatically when a new version is available, but you can manually trigger the update check using the menu item Help > About Google Chrome.
“I’ve actually lost count of the number of ‘ordinary’ vulnerabilities confirmed by Google last year, but the important thing is that they were all fixed. The same is true of CVE-2026-0628,” he said.
For example, in June, Google patched a vulnerability in Chrome’s JavaScript engine, called V8. This vulnerability enabled “out of bounds read and write,” which means malicious code can peek at and edit memory it isn’t supposed to access.
In March, Google patched another dangerous zero-day vulnerability affecting Mojo, an inter-process communication (IPC) system used internally by the Google Chrome browser. Before the patch was issued, the vulnerability had already been exploited by sophisticated threat actors in the wild, targeting Russian organizations.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked