Google Publishes Exploit Code for Unfixed Chromium Vulnerability
Google published proof-of-concept code for a vulnerability in its Chromium browser that affects Chrome, Edge, and other Chromium-based browsers. The flaw, reported 29 months earlier, allows attackers to monitor browser activity and create persistent connections.
bleedingcool.comGoogle on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase. The code targets the Browser Fetch programming interface, which allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to monitor aspects of a user's browser usage and to act as a proxy for viewing sites and launching denial-of-service attacks.
Depending on the browser, the connections either reopen or remain open even after the browser or device has rebooted.
The unfixed vulnerability can be exploited by any website a user visits. A compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to actions a browser can perform, such as visiting malicious sites, providing anonymous proxy browsing, enabling proxied denial-of-service attacks, and monitoring user activity.
Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022, said the exploit code Google published would be "pretty easy" to use. He added that scaling it to control large numbers of devices would require more work.
Its severity was rated S1, the second-highest classification. The vulnerability remained unknown except to Chromium developers until it was published to the Chromium bug tracker on Wednesday morning. Rebane initially assumed the vulnerability was finally fixed.
Shortly thereafter, he learned that it remained unpatched. Google removed the post, but it remains available on archival sites along with the exploit code. Google representatives did not immediately respond to an email asking how and why the vulnerability and exploit code were published and if or when a fix would become available.
Rebane confirmed that Brave, Opera, Vivaldi, and Arc are also vulnerable. Both Firefox and Safari are unaffected because they do not support the browser-fetching feature. Users of Chromium browsers should be suspicious of download dropdowns that appear for no reason.
Key Facts
Story Timeline
3 events- Late 2022
Lyra Rebane privately reported the vulnerability to Google.
1 sourceArs Technica - Wednesday morning
Google published the vulnerability and exploit code to the Chromium bug tracker.
1 sourceArs Technica - Wednesday
Google removed the post after publication.
1 sourceArs Technica
Potential Impact
- 01
Users of Chromium-based browsers may encounter persistent connections that remain active after browser or device restarts.
- 02
Attackers could potentially monitor browser activity or use compromised devices for proxied denial-of-service attacks.
Transparency Panel
Related Stories
EuronewsWorld Urban Forum 2026 Draws 57,000 Participants from 176 Countries
The 13th World Urban Forum concluded with discussions on housing, climate resilience and urban governance. Organisers reported that the sessions informed future strategic priorities.
theverge.comTrump Mobile website still lists T1 phone as American-made
The product page for the T1 phone continues to describe the device as American-made. The Verge reported that the site may conflict with FTC advertising rules. The phone was announced in June 2025.
France 24EU Discusses Readiness for Artificial Intelligence Changes
A France 24 program examined whether European Union policies can address the effects of artificial intelligence. The discussion covered potential impacts across daily life and economic sectors.