Powered by OpenAIRE graph
Found an issue? Give us feedback
image/svg+xml art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos Open Access logo, converted into svg, designed by PLoS. This version with transparent background. http://commons.wikimedia.org/wiki/File:Open_Access_logo_PLoS_white.svg art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos http://www.plos.org/ ZENODOarrow_drop_down
image/svg+xml art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos Open Access logo, converted into svg, designed by PLoS. This version with transparent background. http://commons.wikimedia.org/wiki/File:Open_Access_logo_PLoS_white.svg art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos http://www.plos.org/
ZENODO
Other literature type . 2026
License: CC BY
Data sources: ZENODO
ZENODO
Other literature type . 2026
License: CC BY
Data sources: Datacite
ZENODO
Other literature type . 2026
License: CC BY
Data sources: Datacite
 View all 2 versions
Claim

Origin CyberAnatomy Spoofing via Malicious WebView - Dissecting CVE-2026-0628 Chromium Extension Privilege Escalation

descriptionPublicationkeyboard_double_arrow_right Other literature type 29 Jan 2026Publisher:Zenodo
Authors: WIGUNA, SASTRA ADI;

doi: 10.5281/zenodo.18413764 , 10.5281/zenodo.18413763

Origin CyberAnatomy Spoofing via Malicious WebView - Dissecting CVE-2026-0628 Chromium Extension Privilege Escalation

Abstract

Origin CyberAnatomy Spoofing via Malicious WebView - Dissecting CVE-2026-0628 Chromium Extension Privilege Escalation This research provides a comprehensive technical dissection of CVE-2026-0628, a high-severity privilege escalation vulnerability (CVSS v3.1: 8.8) in Chromium's WebView policy enforcement mechanism. The vulnerability enables malicious extensions to bypass sandbox isolation and execute arbitrary code within privileged browser contexts, such as chrome:// and chrome-extension:// pages, by exploiting insufficient validation in the Mojo IPC (Inter-Process Communication) protocol. Core Vulnerability Mechanics Root Cause: A logic flaw in Chromium's WebViewPolicyValidator::ValidateRequest() function allows origin spoofing and privilege escalation. The function fails to validate whether an extension has sufficient permissions to access privileged origins, such as chrome://settings or chrome-extension://background. Attackers exploit this by crafting malicious WebView elements with attributes like nodeintegration and allowpopups, which bypass security checks and grant access to high-privilege contexts. Exploit Chain: Malicious Extension Deployment: An attacker tricks a user into installing an extension with a crafted manifest that declares WebView usage and broad permissions. WebView Injection: The extension dynamically injects a hidden WebView element () into a webpage. Privilege Escalation: The WebView bypasses policy validation and executes arbitrary JavaScript in a privileged context, enabling data theft (e.g., cookies, localStorage, session tokens) and lateral movement within the browser. Sandbox Escape: On Microsoft Edge, the exploit can be chained with token duplication techniques to escape the browser sandbox and execute code at Medium Integrity Level (IL), potentially leading to full system compromise. Impact: Confidentiality: High (theft of sensitive data, such as cookies and session tokens). Integrity: High (manipulation of browser settings and extensions). Availability: High (persistent background scripts for C2 beaconing). Attack Vector: Network-based (requires user interaction to install the extension).

  • BIP!
    Impact byBIP!
    selected citations
    These citations are derived from selected sources.
    This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
    		 0
    popularity
    This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.
    		 Average
    influence
    This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
    		 Average
    impulse
    This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.
    		 Average
Powered by OpenAIRE graph
Found an issue? Give us feedback
selected citations
These citations are derived from selected sources.
This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
BIP!Citations provided by BIP!
popularity
This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.
BIP!Popularity provided by BIP!
influence
This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
BIP!Influence provided by BIP!
impulse
This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.
BIP!Impulse provided by BIP!
0
Average
Average
Average
Green