Skip to main content
TechnologyMay 22, 2026· 3 min read

Google Publishes Exploit for Unpatched Chromium Bug Since 2022

In recent hours, Google has published on its public Chromium bug tracker the exploit code for a vulnerability that remains unpatched, affecting Chrome, Microsoft Edge, and the entire family of browsers based on the same codebase. The publication, which was removed shortly after but already archived elsewhere, pertains to a bug reported privately to Mountain View at the end of 2022 by independent researcher Lyra Rebane, and since then classified internally as S1, the highest severity level in the project's taxonomy.

The vulnerability concerns the Background Fetch API, the web standard that allows a site to download large files in the background, such as long videos, even after the tab is closed. The published exploit hijacks this mechanism to open a persistent service worker, maintaining a connection between the browser and a remote server controlled by the attacker. Depending on the browser, the connection is either reopened or remains active even after restarting the browser or the device.

The infection vector requires only that the user visits a malicious page, with no downloads needed, no popups to approve, and no explicit permissions required. On Microsoft Edge, according to the researcher, the only visible signal can be a brief popup related to downloads lacking an actual file, easily dismissed as a minor browser error. Chrome behaves similarly, and any notifications may disappear after the first occurrence.

The execution capabilities that the attacker can obtain match those that a browser can perform on its own: visiting other sites, functioning as an anonymous proxy for others' traffic, participating in DDoS attacks, and collecting partial information about the user's browsing. There is no direct access to files, passwords, or the content of emails. A compromise equates to a low-scale backdoor that inserts the device into a potentially vast network comprising thousands or even millions of nodes. The value for an attacker is the fleet of dormant endpoints, reusable in conjunction with a second vulnerability that might emerge in the future.

Twenty-Nine Months Without a Patch

What weighs heavily in this matter is the timeline. Rebane submitted the report to Google at the end of 2022. In the internal discussion thread, two Chromium developers labeled the bug as a "serious vulnerability," assigning it the S1 rating. Since then, the report remained in the internal tracker, accessible only to project developers, for 29 months.

Yesterday morning, the bug was published in the public tracker, with the proof-of-concept code attached. The researcher initially interpreted the move as notification of a fix, only to realize soon after that the fix had never been applied. Google quickly removed the post, but the content had already been archived. Currently, the company has not responded to requests for clarification regarding the disclosure process and the timing of the fix.

Rebane's reading on the delay seems plausible: it represents a gray area of triage. The vulnerability is serious enough to warrant an S1 label, yet lacks the immediate damage profile such as exposure of files, credentials, or private communications that triggers maximum priority in internal workflows. The resolution timing thus appears in line with what is typical for similar classes of bugs.

What Changes for Users

The potential impact depends on Chromium's market share. Besides Chrome and Edge, it also involves Brave, Opera, Vivaldi, and other derivatives that share the same engine. Firefox and Safari, based on Gecko and WebKit respectively, are not affected.

Currently, there is no public patch, and Google has not indicated a timeline for release. The only practical mitigation for the end user is to limit browsing to known sites and avoid unknown links, a modest palliative considering that the attack surface coincides with the open web. In managed environments, enterprise policies remain available to disable the background mode of Chrome and Edge, which partially reduce the vector.