Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users
Cybersecurity NewsArchived May 22, 2026✓ Full text saved
Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse. The vulnerability, originally reported in late 2022 by independent security researcher Lyra Rebane, remains unfixed after more than 42 months. It […] The post Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Mill
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users
By Guru Baran
May 22, 2026
Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse.
The vulnerability, originally reported in late 2022 by independent security researcher Lyra Rebane, remains unfixed after more than 42 months. It has been assigned a Priority 1 (P1) rating, indicating high urgency and Severity 2 (S2), marking it as a serious security issue within Chromium’s vulnerability classification framework.
The flaw resides in the Browser Fetch API, a feature designed to allow large downloads, such as videos or files, to continue in the background via Service Workers.
However, Rebane discovered that this mechanism can be abused to create persistent, never-terminating tasks that maintain continuous communication with attacker-controlled infrastructure.
By leveraging this behavior, attackers can establish a covert communication channel between a victim’s browser and a command-and-control (C2) server. Notably, in some implementations, such as Microsoft Edge, the connection may persist even after the browser is closed or the system is rebooted.
Source: Lyra Rebane
The exploit effectively transforms a browser into a “limited botnet node” without requiring any user interaction.
Exploitation Requires Only a Website Visit
The attack vector is particularly concerning due to its simplicity. Any user visiting a malicious or compromised website can be silently enrolled into this browser-based botnet.
According to Rebane’s disclosure, attackers can deploy a malicious webpage that contains a Service Worker that initiates a background fetch task that never terminates. This enables continuous execution of JavaScript code on the victim’s device.
“It’s realistic to get tens of thousands of pageviews for creating a ‘botnet,’ and users won’t be aware that JavaScript can be remotely executed on their device,” Rebane noted in the original report.
While the exploit is constrained by browser sandboxing, its capabilities still pose a significant risk at scale. Potential abuse scenarios include:
Distributed Denial-of-Service (DDoS): Compromised browsers can be orchestrated to flood target infrastructure with traffic.
Proxy Networks: Attackers can route malicious or anonymized traffic through victim browsers.
Traffic Redirection: Users can be silently redirected to attacker-controlled or malicious destinations.
Activity Monitoring: Limited tracking of browsing behavior and network activity.
The researcher emphasized that while current capabilities are limited to browser-level actions, the real risk lies in chaining this vulnerability with future exploits. A pre-established network of compromised browsers could serve as a launchpad for more advanced attacks once additional vulnerabilities are identified.
Google’s decision to publish exploit code before issuing a patch has raised concerns within the security community. The PoC lowers the barrier to entry for threat actors, making exploitation “pretty easy,” according to Rebane, although scaling operations would require additional infrastructure.
In the Chromium issue tracker, multiple developers acknowledged the severity of the flaw, describing it as a “serious vulnerability.” Despite this, no complete fix has been rolled out as of this writing.
Affected Platforms
Google Chrome
Microsoft Edge
Brave Browser
Opera
Other Chromium-based browsers
Until an official patch is released, users and organizations should consider the following mitigations:
Restrict Service Worker usage via enterprise browser policies where feasible.
Disable background fetch features if configurable.
Use network-level monitoring to detect anomalous outbound browser connections.
Implement browser isolation technologies in enterprise environments.
With exploit code now public and no patch available, the vulnerability presents a unique window of opportunity for threat actors targeting large-scale browser-based botnets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens
Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks
Critical Apache Flink Vulnerability Enables Remote code execution Attacks
Mythos Preview Builds PoC Exploits in Automated Vulnerability Research
Discord Announces End-to-End Encryption by Default for Video and Voice Messages
Latest News
Cyber Security News
Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens
Cyber Security News
Discord Announces End-to-End Encryption by Default for Video and Voice Messages
Cyber Attack News
Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours
Cyber Security News
Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware
Cyber Security News
TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs