CVE-2026-3063
📋 TL;DR
This vulnerability allows attackers who convince users to install malicious Chrome extensions to inject scripts or HTML into privileged pages through DevTools. It affects all Google Chrome users prior to version 145.0.7632.116 who install untrusted extensions.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of browser session including access to sensitive data, authentication tokens, and ability to perform actions as the user on web applications.
Likely Case
Data theft from web applications, session hijacking, and unauthorized actions within the user's browser context.
If Mitigated
Limited impact if users only install trusted extensions from official sources and maintain updated browsers.
🎯 Exploit Status
Exploitation requires social engineering to install malicious extension; once installed, exploitation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 145.0.7632.116 and later
Vendor Advisory: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html
Restart Required: Yes
Instructions:
1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for updates. 3. If update is available, click 'Update Google Chrome'. 4. Click 'Relaunch' to restart Chrome with the update.
🔧 Temporary Workarounds
Disable Chrome Extensions
allTemporarily disable all extensions to prevent exploitation while waiting to patch.
chrome://extensions/ > toggle off all extensions
Restrict Extension Installation
windowsConfigure Chrome policies to prevent users from installing extensions.
Windows: Group Policy Editor > Computer Configuration > Administrative Templates > Google > Google Chrome > Extensions > Configure extension installation whitelist
🧯 If You Can't Patch
- Implement strict extension whitelisting policies to only allow approved extensions
- Educate users about risks of installing untrusted extensions and implement security awareness training
🔍 How to Verify
Check if Vulnerable:
Check Chrome version: if version is less than 145.0.7632.116, system is vulnerable.Check Version:
chrome://version/Verify Fix Applied:
Verify Chrome version is 145.0.7632.116 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual DevTools activity logs
- Extension installation events from untrusted sources
- Script injection attempts in privileged contexts
Network Indicators:
- Unexpected outbound connections from Chrome to unknown domains
- Data exfiltration patterns from browser sessions
SIEM Query:
source="chrome_security_logs" AND (event="extension_install" AND source!="chrome_web_store" OR event="devtools_privileged_access")