Google Leaks Details of Unfixed Chromium Flaw After 29 Months

Google accidentally published exploit details for a dangerous Chromium vulnerability on May 20, giving attackers a blueprint for a flaw that remains unpatched nearly two and a half years after its initial disclosure.

The bug, reported by security researcher Lyra Rebane in December 2022, allows malicious websites to turn visitors' browsers into persistent JavaScript execution nodes—effectively botnet members—without any visible indication to the user. Despite being marked "fixed" twice in the Chromium issue tracker, the vulnerability remains exploitable in current versions of Chrome and Microsoft Edge.

What Happened

Under Chromium's standard disclosure policy, security bugs automatically become public 14 weeks after they're marked as fixed. When Google's system removed access restrictions on May 20, it inadvertently exposed full technical details for a vulnerability that had never actually been patched.

"I tested the fix and noticed that the problem was still present in Chrome Dev 150 and Edge 148," Rebane confirmed the same day the details went public.

The timeline tells a troubling story:

• December 2022: Rebane reports the vulnerability
• October 2024: Google developer flags it as a "serious vulnerability" requiring progress updates
• February 10, 2026: Bug marked as fixed, then reopened minutes later
• February 12, 2026: Marked fixed again without an actual patch; Rebane receives $1,000 bounty
• May 20, 2026: Details automatically published; exploit confirmed still working

How the Attack Works

The vulnerability abuses Chromium's Background Fetch API to create a Service Worker that never terminates. When a user visits a malicious webpage, the attacker registers a persistent service worker that continues executing JavaScript even after the browser tab is closed.

On Microsoft Edge, Rebane describes the attack as "completely silent JS RCE that keeps running even after you close the browser" with no download prompts or other visible indicators.

The implications are significant. Attackers could leverage infected browsers for:

• Distributed denial-of-service attacks against targeted infrastructure
• Proxying malicious traffic through victims' internet connections
• Cryptocurrency mining using victims' computing resources
• Serving as relay nodes in larger command-and-control networks

"It's realistic to get tens of thousands of pageviews for creating a 'botnet,'" Rebane explained. "People won't be aware that JavaScript can be remotely executed on their devices."

Which Browsers Are Affected

Every Chromium-based browser inherits this vulnerability, meaning the exposure extends far beyond Google Chrome:

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi
• Arc

This represents the overwhelming majority of desktop browser users. A single vulnerability in Chromium's codebase can instantly affect billions of users across multiple browsers and operating systems.

Firefox and Safari users are not affected—neither browser implements the Background Fetch API in a way that enables this attack vector.

Google's Silence

BleepingComputer reached out to Google for comment but received no response before publication. The company hasn't issued any public statement about the accidental disclosure or provided a timeline for an actual patch.

This incident highlights the fragility of coordinated disclosure timelines. The 14-week automatic publication window assumes the bug was genuinely fixed—an assumption that clearly failed here. Google's bug bounty payment in February essentially certified a non-existent fix, triggering the countdown to public disclosure.

What Users Can Do

With no patch available, options are limited. Browser users can:

• Block third-party service workers via browser settings or extensions
• Use Firefox or Safari for sensitive browsing until a patch ships
• Monitor network activity for unexpected background connections

Enterprise administrators should consider network-level controls to detect and block suspicious outbound connections from endpoints, particularly those characteristic of botnet command-and-control traffic.

Chrome users waiting for security updates have had a busy year—Google recently pushed Chrome 148 with 79 vulnerability patches and earlier addressed CVE-2026-2441, a CSS use-after-free bug under active exploitation.

Why This Matters

The 29-month gap between disclosure and accidental publication raises uncomfortable questions about how seriously Google treats certain classes of vulnerabilities. While the company's bug bounty program is among the most generous in the industry, paying researchers doesn't help users if reported bugs sit unfixed.

The automated disclosure system worked exactly as designed—the problem is that it trusted an incorrect "fixed" status. Browser vendors relying on similar systems may want to add verification steps before publishing bug details.

For now, users browsing the web with any Chromium-based browser should assume that a single visit to a compromised website could silently enlist their machine in a JavaScript-powered botnet. Stay tuned to our security coverage for updates when Google releases an actual fix.