Palo Alto Unit 42 details Chrome Gemini bug that risked local file access

Palo Alto Networks’ Unit 42 published a detailed report on March 2, 2026, describing a high-severity vulnerability in Google Chrome’s new Gemini Live side panel, tracked as CVE-2026-0628, that could have allowed malicious extensions to hijack the AI assistant and access files on users’ local operating systems. Unit 42 says it privately disclosed the flaw to Google in October 2025 and helped with remediation; Google released a fix in early January 2026.

Unit 42’s analysis identifies the root cause as “insufficient policy enforcement in WebView tag in Google Chrome,” a lapse that permitted crafted extensions to inject code into a privileged browser component. The report says the exploit model required an attacker to convince a user to install a malicious Chrome extension. Once installed, an extension operating with a basic permission set — notably via the declarativeNetRequests API — could be manipulated to inject scripts or HTML into the Gemini panel, enabling privilege escalation.

The report’s executive summary underscores the concrete risk: “This vulnerability allows the attacker to tap into the browser environment and access files on the local operating system.” Unit 42 warns that a successful chain of actions could turn the Gemini Live assistant from a convenience feature into a surveillance vector capable of reading data accessible to the browser and potentially exfiltrating it.

Unit 42 credited senior principal security researcher Gal Weizman with the discovery and labeled the issue high severity. The team said it shared technical findings with peers in the Cyber Threat Alliance so members could rapidly deploy protections, and it noted that Palo Alto Networks customers receive additional mitigation through the company’s products and services. Unit 42 also advised that organizations who suspect compromise should contact the Unit 42 Incident Response team for urgent assistance.

Google included the remediation in Chrome’s January security updates. The fix was incorporated in the stable channel releases numbered 143.0.7499.192 and 143.0.7499.193 for Windows and macOS, and 143.0.7499.192 for Linux. Unit 42 and follow-up patch notes indicate additional security updates have been issued since January that address other issues, including out-of-bounds bugs.

For administrators and users, the immediate action is straightforward: ensure Chrome is updated to the patched stable versions. Enterprise defenders should verify browser fleets and extension inventories, minimizing installation privileges and auditing any extensions that request network or declarativeNetRequests permissions. Unit 42 concluded its disclosure statement by noting: “We responsibly disclosed this vulnerability to Google and assisted in remediation efforts, and they released a fix in early January prior to the publication of this information.”

The incident adds to broader concerns about so-called agentic browsers and AI assistants that operate with elevated privileges inside users’ browsers. Unit 42 framed its research under the banner “Taming Agentic Browsers,” urging both vendors and enterprises to harden policy enforcement around embedded AI components to prevent extensions from converting helpful assistants into covert monitoring tools.