Qualcomm Android Zero-Day and Chrome AI Extension Risks [Prime Cyber Insights]

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers. [00:06] Announcer: In the briefing room from March 3rd, 2026, I'm Aaron Cole with Prime Cyber Insights. [00:12] Announcer: We are moving fast today. [00:14] Announcer: Join us today as Chad Thompson, a director-level AI and security leader with a systems-level perspective on automation, enterprise risk, and operational resilience. [00:25] Announcer: Chad, it's great to have you. [00:28] Aaron Cole: Glad to be here, Lauren. [00:30] Aaron Cole: We're seeing a fundamental shift in the browser attack surface as we move toward agentic models. [00:36] Aaron Cole: And the news this morning really highlights that risk. [00:40] Lauren Mitchell: Exactly. Mauerbytes reported on a high-severity flaw, CVE 2020-60628, in the Chrome Gemini side panel. [00:51] Lauren Mitchell: It essentially allowed a low-privilege extension to inherit the AI's powerful permissions, [00:57] Lauren Mitchell: camera, microphone, and even local file access. [01:01] Lauren Mitchell: Chad, how does this change the way we evaluate extension security? [01:07] Aaron Cole: It breaks the traditional sandbox model, Lauren. [01:10] Aaron Cole: Usually, extensions are isolated, but because the Gemini panel is a trusted, high-privileged [01:16] Aaron Cole: component, a simple extension could tamper with its traffic and drive the AI autonomously. [01:24] Aaron Cole: It turns the AI into a command broker for the attacker. [01:28] Aaron Cole: Bypassing user consent prompts entirely. [01:32] Lauren Mitchell: Switching to mobile, Google has confirmed that a Qualcomm Graphics Component Zero Day [01:37] Lauren Mitchell: CVE 2026-21-385 is under targeted exploitation. [01:44] Lauren Mitchell: Chad, this is a buffer overread impacting the kernel level. [01:49] Lauren Mitchell: What is the practitioner's takeaway here? [01:51] Aaron Cole: The urgency is the takeaway, Aaron. [01:55] Aaron Cole: When Google flags targeted exploitation in their monthly bulletin, it means the threat is no longer theoretical. [02:03] Aaron Cole: This flaw allows for memory corruption by adding user-supplied data without checking buffer space. [02:12] Aaron Cole: For enterprise fleets, this isn't just a software bug. [02:15] Aaron Cole: It's a hardware-adjacent vulnerability that requires immediate patch orchestration. [02:22] Lauren Mitchell: It is a massive patch cycle, too. 129 vulnerabilities in the March update alone. [02:30] Lauren Mitchell: But while we're tracking zero days, we are also seeing a significant escalation in regional campaigns. [02:36] Announcer: That brings us to sloppy lemming. [02:39] Announcer: Arctic Wolf reports this group has dramatically expanded its infrastructure, [02:44] Announcer: targeting government and energy sectors in Pakistan and Bangladesh, [02:49] Announcer: They have scaled from 13 Cloudflare workers to 112 in just a year, using a custom backdoor called Burroughshel. [02:59] Lauren Mitchell: And they have transitioned to Rust for their keyloggers, which makes detection much harder. [03:06] Lauren Mitchell: Meanwhile, in Europe, we are seeing the fallout of a major supply chain hit. [03:12] Lauren Mitchell: 15.8 million medical records were stolen from the French Health Ministry via a breach at the software supplier Sejidim Sante. [03:21] Announcer: The register reports that about 165,000 of those files contained actual notes penned by doctors, including sensitive details like HIV status, [03:33] Announcer: Chad, looking at C.J. Deem-Sante and the Chrome flaw together, what is the common thread for risk leaders? [03:41] Aaron Cole: The common thread is the failure of third-party boundaries, Aaron. [03:45] Aaron Cole: Whether it's a trusted browser extension or a government-mandated medical software provider. [03:51] Aaron Cole: The system-level risk is that we are delegating high-value data access to entities that aren't being audited at the level their permissions require. [04:04] Aaron Cole: We have to move from trusting the platform to verifying the path of the data. [04:09] Chad Thompson: A clear reminder that resilience isn't just about internal controls, but managing the entire [04:15] Chad Thompson: ecosystem. [04:17] Chad Thompson: Chad, thank you for the analysis today. [04:19] Announcer: That is the briefing for today. [04:21] Announcer: For technical details on the CVEs and campaigns mentioned, visit pci.neuralnewscast.com. [04:29] Announcer: I'm Erin Cole. [04:31] Lauren Mitchell: And I'm Lauren Mitchell. [04:32] Lauren Mitchell: This has been Prime Cyber Insights. [04:35] Lauren Mitchell: Note that our coverage is for informational purposes. [04:38] Lauren Mitchell: Always verify security steps with your internal engineering teams. [04:42] Lauren Mitchell: We'll see you tomorrow. [04:44] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed. [04:48] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com. [04:52] Announcer: This has been Prime Cyber Insights on Neural Newscast, [04:56] Announcer: Intelligence for Defenders, Leaders, and Decision Makers. [04:59] Announcer: Neural Newscast uses artificial intelligence in content creation [05:03] Announcer: with human editorial review prior to publication. [05:06] Announcer: While we strive for factual, unbiased reporting, AI-assisted content may occasionally contain [05:12] Announcer: errors. Verify critical information with trusted sources. Learn more at neuralnewscast.com.