Skip to content
Tech News
← Back to articles

Google publishes exploit code threatening millions of Chromium users

2026-05-20 | original
read original get Chromium Security Patch → more articles
Why This Matters

Google's publication of exploit code for an unfixed vulnerability in Chromium-based browsers poses a significant security threat, potentially enabling attackers to create large botnets and conduct malicious activities such as DDoS attacks and user monitoring. This highlights the urgent need for timely security patches and increased vigilance among users and developers to mitigate risks. The incident underscores the importance of responsible disclosure and proactive security measures in the tech industry.

Key Takeaways

Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers.

The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.

Unfixed for 29 months (and counting)

The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices.

“The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out,” said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. He said using the exploit code Google prematurely published would be “pretty easy,” although scaling it to wrangle large numbers of devices into a single network would require more work. In the thread of Rebane’s disclosure to Google, two developers said in separate responses that it was a “serious vulnerability.” Its severity was rated S1, the second-highest classification.

Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, he learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code.

Explore topics: chromium google browser fetch microsoft edge exploit code
Related:
Google Health brings a powerful new widget to your home screen
Google Is Slopping Up Search and It Wants You to Talk to the Ads
Google is bringing new AI-powered ad formats to search
Don’t like the changes coming to Google Search? Then you’re going to hate this news
Having Android XR Glasses Support iOS Might Be Their Best Feature

© 2026 GoKawiil

About | Editorial Policy | Contact