CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse. The vulnerability, originally reported in late 2022 by independent security researcher Lyra Rebane, remains unfixed after more than 42 months. It […] The post Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Mill

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users By Guru Baran May 22, 2026 Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse. The vulnerability, originally reported in late 2022 by independent security researcher Lyra Rebane, remains unfixed after more than 42 months. It has been assigned a Priority 1 (P1) rating, indicating high urgency and Severity 2 (S2), marking it as a serious security issue within Chromium’s vulnerability classification framework. The flaw resides in the Browser Fetch API, a feature designed to allow large downloads, such as videos or files, to continue in the background via Service Workers. However, Rebane discovered that this mechanism can be abused to create persistent, never-terminating tasks that maintain continuous communication with attacker-controlled infrastructure. By leveraging this behavior, attackers can establish a covert communication channel between a victim’s browser and a command-and-control (C2) server. Notably, in some implementations, such as Microsoft Edge, the connection may persist even after the browser is closed or the system is rebooted. Source: Lyra Rebane The exploit effectively transforms a browser into a “limited botnet node” without requiring any user interaction. Exploitation Requires Only a Website Visit The attack vector is particularly concerning due to its simplicity. Any user visiting a malicious or compromised website can be silently enrolled into this browser-based botnet. According to Rebane’s disclosure, attackers can deploy a malicious webpage that contains a Service Worker that initiates a background fetch task that never terminates. This enables continuous execution of JavaScript code on the victim’s device. “It’s realistic to get tens of thousands of pageviews for creating a ‘botnet,’ and users won’t be aware that JavaScript can be remotely executed on their device,” Rebane noted in the original report. While the exploit is constrained by browser sandboxing, its capabilities still pose a significant risk at scale. Potential abuse scenarios include: Distributed Denial-of-Service (DDoS): Compromised browsers can be orchestrated to flood target infrastructure with traffic. Proxy Networks: Attackers can route malicious or anonymized traffic through victim browsers. Traffic Redirection: Users can be silently redirected to attacker-controlled or malicious destinations. Activity Monitoring: Limited tracking of browsing behavior and network activity. The researcher emphasized that while current capabilities are limited to browser-level actions, the real risk lies in chaining this vulnerability with future exploits. A pre-established network of compromised browsers could serve as a launchpad for more advanced attacks once additional vulnerabilities are identified. Google’s decision to publish exploit code before issuing a patch has raised concerns within the security community. The PoC lowers the barrier to entry for threat actors, making exploitation “pretty easy,” according to Rebane, although scaling operations would require additional infrastructure. In the Chromium issue tracker, multiple developers acknowledged the severity of the flaw, describing it as a “serious vulnerability.” Despite this, no complete fix has been rolled out as of this writing. Affected Platforms Google Chrome Microsoft Edge Brave Browser Opera Other Chromium-based browsers Until an official patch is released, users and organizations should consider the following mitigations: Restrict Service Worker usage via enterprise browser policies where feasible. Disable background fetch features if configurable. Use network-level monitoring to detect anomalous outbound browser connections. Implement browser isolation technologies in enterprise environments. With exploit code now public and no patch available, the vulnerability presents a unique window of opportunity for threat actors targeting large-scale browser-based botnets. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks Critical Apache Flink Vulnerability Enables Remote code execution Attacks Mythos Preview Builds PoC Exploits in Automated Vulnerability Research Discord Announces End-to-End Encryption by Default for Video and Voice Messages Latest News Cyber Security News Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens Cyber Security News Discord Announces End-to-End Encryption by Default for Video and Voice Messages Cyber Attack News Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours Cyber Security News Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware Cyber Security News TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗