{"id":13069,"date":"2026-05-22T10:03:37","date_gmt":"2026-05-22T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/22\/google-publishes-exploit-code-for-unfixed-chromium-bug-exposing-millions-of-users\/"},"modified":"2026-05-22T10:03:37","modified_gmt":"2026-05-22T10:03:37","slug":"google-publishes-exploit-code-for-unfixed-chromium-bug-exposing-millions-of-users","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/22\/google-publishes-exploit-code-for-unfixed-chromium-bug-exposing-millions-of-users\/","title":{"rendered":"Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users"},"content":{"rendered":"<p>    Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other <a href=\"https:\/\/cybersecuritynews.com\/claude-desktop-reportedly-adds-browser-access\/\" target=\"_blank\" rel=\"noreferrer noopener\">Chromium-based browsers<\/a> to stealthy botnet-style abuse.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerability, originally reported in late 2022 by independent security researcher Lyra Rebane, remains unfixed after more than 42 months. It has been assigned a Priority 1 (P1) rating, indicating high urgency and Severity 2 (S2), marking it as a serious security issue within Chromium\u2019s vulnerability classification framework.<\/p>\n<p class=\"wp-block-paragraph\">The flaw resides in the Browser Fetch API, a feature designed to allow large downloads, such as videos or files, to continue in the background via Service Workers.<\/p>\n<p class=\"wp-block-paragraph\">However, Rebane discovered that this mechanism can be abused to create persistent, never-terminating tasks that maintain continuous communication with attacker-controlled infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">By leveraging this behavior, attackers can establish a covert communication channel between a victim\u2019s browser and a <a href=\"https:\/\/cybersecuritynews.com\/command-and-controlc2-server\/\" target=\"_blank\" rel=\"noreferrer noopener\">command-and-control (C2) server<\/a>. Notably, in some implementations, such as Microsoft Edge, the connection may persist even after the browser is closed or the system is rebooted.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"751aadcfcdfad72a\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/7eb3jIAdYnk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\">Source: Lyra Rebane<\/figcaption><\/figure>\n<p class=\"sg-ai-highlighted-block wp-block-paragraph\">The exploit effectively transforms a browser into a \u201climited botnet node\u201d without requiring any user interaction.<\/p>\n<h2 id=\"h-exploitation-requires-only-a-website-visit\" class=\"wp-block-heading\"><strong>Exploitation Requires Only a Website Visit<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The attack vector is particularly concerning due to its simplicity. Any user visiting a malicious or compromised website can be silently enrolled into this browser-based botnet.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/infosec.exchange\/@rebane2001\/116606719764376414\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to Rebane\u2019s disclosure<\/a>, attackers can deploy a malicious webpage that contains a Service Worker that initiates a background fetch task that never terminates. This enables continuous execution of JavaScript code on the victim\u2019s device.<\/p>\n<p class=\"wp-block-paragraph\">\u201cIt\u2019s realistic to get tens of thousands of pageviews for creating a \u2018botnet,\u2019 and users won\u2019t be aware that JavaScript can be remotely executed on their device,\u201d Rebane noted in the original report.<\/p>\n<p class=\"wp-block-paragraph\">While the exploit is constrained by browser sandboxing, its capabilities still pose a significant risk at scale. Potential abuse scenarios include:<\/p>\n<ul class=\"wp-block-list\">\n<li>Distributed Denial-of-Service (DDoS): Compromised browsers can be orchestrated to flood target infrastructure with traffic.<\/li>\n<li>Proxy Networks: Attackers can route malicious or anonymized traffic through victim browsers.<\/li>\n<li>Traffic Redirection: Users can be silently redirected to attacker-controlled or malicious destinations.<\/li>\n<li>Activity Monitoring: Limited tracking of browsing behavior and network activity.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">The researcher emphasized that while current capabilities are limited to browser-level actions, the real risk lies in chaining this vulnerability with future exploits. A pre-established network of compromised browsers could serve as a launchpad for more advanced attacks once additional vulnerabilities are identified.<\/p>\n<p class=\"wp-block-paragraph\">Google\u2019s decision to publish exploit code before issuing a patch has raised concerns within the security community. The PoC lowers the barrier to entry for threat actors, making exploitation \u201cpretty easy,\u201d according to Rebane, although scaling operations would require additional infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">In the Chromium issue tracker, multiple developers acknowledged the severity of the flaw, describing it as a \u201cserious vulnerability.\u201d Despite this, no complete fix has been rolled out as of this writing.<\/p>\n<h2 id=\"h-affected-platforms\" class=\"wp-block-heading\"><strong>Affected Platforms<\/strong><\/h2>\n<ul class=\"wp-block-list\">\n<li>Google Chrome<\/li>\n<li>Microsoft Edge<\/li>\n<li>Brave Browser<\/li>\n<li>Opera<\/li>\n<li>Other Chromium-based browsers<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Until an official patch is released, users and organizations should consider the following mitigations:<\/p>\n<ul class=\"wp-block-list\">\n<li>Restrict Service Worker usage via enterprise browser policies where feasible.<\/li>\n<li>Disable background fetch features if configurable.<\/li>\n<li>Use network-level monitoring to detect anomalous outbound browser connections.<\/li>\n<li>Implement browser isolation technologies in enterprise environments.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">With exploit code now public and no patch available, the vulnerability presents a unique window of opportunity for threat actors targeting large-scale browser-based botnets.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/google-publishes-chromium-exploit-code\/\">Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/google-publishes-chromium-exploit-code\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse. The vulnerability, originally reported in late 2022 by independent [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-13069","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13069"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13069"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13069\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}