The story starts back in December 2022, when security researcher Lyra Rebane reported a serious, unfixed Chromium flaw to the Chromium Issue Tracker. Google acknowledged it as valid, recognizing its potential severity. This initial report kicked off a lengthy, and ultimately problematic, internal process. Fast forward to October 26, 2024, nearly two years after the initial report, and a Google developer noted the issue was still open and, critically, called it a "serious vulnerability." This internal acknowledgment underscored the ongoing risk, yet a definitive resolution remained elusive.
The Incident: Google's Unfixed Chromium Flaw and Public Exposure
Then things got messy. On February 10, 2026, the issue was prematurely marked as fixed, only to be reopened minutes later due to internal concerns about the completeness of the patch. This initial false positive was a red flag. Two days later, on February 12, it was marked fixed *again* in the system, despite the crucial fact that no actual patch had shipped to users. This second erroneous closure was particularly egregious. The labels were updated for the Chrome Vulnerability Rewards Program (VRP) Panel, and Rebane was awarded a $1,000 bounty for her discovery of this significant unfixed Chromium flaw. The bounty, while a standard part of the program, now appears disproportionate given the bug's longevity and eventual public exposure.
Here's the part that should worry you: On May 20, 2026, Google removed access restrictions on the Chromium Issue Tracker. This action was taken because the bug had been *closed* for over 14 weeks and *marked* fixed in their internal systems. The problem, as Rebane quickly discovered through her own testing, was that it wasn't fixed at all. She diligently tested the supposed "fix" and found the problem still present and exploitable in Chrome Dev 150 and Edge 148. This critical oversight meant that the full technical details of a severe, unpatched vulnerability – this unfixed Chromium flaw – were now publicly accessible.
Rebane then publicly stated that the exploit still worked, realizing Google had published the full details by mistake. This isn't a confidentiality breach like Storm-0558, where a signing key was stolen; instead, this incident represents a profound availability and integrity issue stemming from a process failure. A known, unpatched Remote Code Execution (RCE) vulnerability was accidentally exposed to the world, giving attackers a clear roadmap. The distinction matters significantly when you're trying to defend against such a threat, as the exposure of an unfixed Chromium flaw changes the threat landscape dramatically.
The Mechanism: How the Unfixed Chromium Flaw Enables Persistent JavaScript
So, what exactly is this persistent unfixed Chromium flaw? At its core, it lets JavaScript run in the background even after you've closed your browser. This behavior fundamentally violates user expectations and browser security models, where closing a browser window should terminate all associated scripts. The mechanism leverages a legitimate browser feature, Service Workers, for malicious purposes, turning them into a vector for this unfixed Chromium flaw.
Here's the attack chain in more detail:
- An attacker creates a malicious webpage designed to exploit this vulnerability.
- This page uses a Service Worker, which is a powerful script that your browser runs in the background, entirely separate from the webpage itself. Think of it like a persistent local proxy or an always-on background process for web applications.
- The attacker configures this Service Worker to perform a task that never terminates—for instance, initiating a download task that simply hangs indefinitely, or a background fetch operation that never resolves. This keeps the Service Worker active.
- Once the Service Worker is active and persistently running, it can continue executing arbitrary JavaScript code on the victim's device, even if the user closes the browser window or tab. This persistence is the key to the exploit.
- This persistent execution capability means that Remote Code Execution (RCE) is possible within the browser's sandbox, allowing attackers to maintain a foothold on the victim's system for extended periods.
What makes this particularly nasty is the stealth factor. Rebane noted that in the latest Microsoft Edge, the exploit no longer triggers a download menu pop-up or any other visual indication. That means the RCE can happen completely silently, without any visual cue to the user that their browser is still actively running malicious code in the background. This silent persistence significantly amplifies the danger of this unfixed Chromium flaw.
The Impact: The Unfixed Chromium Flaw's Widespread Threat
This isn't some niche vulnerability affecting a handful of users. It affects *all* Chromium-based browsers, which collectively dominate the internet browsing landscape. That includes Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. This represents a massive attack surface, potentially exposing billions of users to the risks posed by this unfixed Chromium flaw.
The practical impact is severe and varied, directly stemming from this unfixed Chromium flaw. An attacker could leverage this vulnerability to launch distributed denial-of-service (DDoS) attacks from compromised browsers, turning unsuspecting users into unwitting participants in cyber warfare. They could proxy malicious traffic through victims' devices, masking their origins and making attribution difficult. Furthermore, arbitrary traffic redirection is possible, leading users to phishing sites or malware downloads without their knowledge.
While the bug doesn't bypass browser security boundaries to give attackers direct access to your emails, local files, or the host operating system, it does effectively turn your browser into a persistent, unwitting participant in malicious activity, a silent botnet node operating in the background. This persistent access could also be used for ad fraud, cryptocurrency mining, or even to maintain long-term tracking of users.
On Reddit and Hacker News, the sentiment is a mix of deep concern and palpable frustration. People are worried about the widespread impact and the potential for silent exploitation, especially with Edge's stealthier behavior. There's strong criticism for Google's prolonged delay in fixing a bug reported almost four years ago, and for the accidental disclosure of an unpatched flaw. Some users question Google's priorities, suggesting a focus on AI initiatives over fundamental bug fixes and robust security practices.
While some comments downplay the immediate security impact as "limited" to persistent service workers for specific tasks like tracking or crypto mining, the overall sentiment leans heavily towards alarm over the potential for browser-based botnets and the implications of such a critical unfixed Chromium flaw being publicly known. It's important to note that Firefox and Safari users are unaffected, as these browsers do not support the specific browser-fetching feature this exploit relies on, highlighting a key architectural difference.
The Response: Addressing the Unfixed Chromium Flaw
Given the public exposure of the exploit details, Google is now under immense pressure to treat this as an urgent matter and release emergency fixes soon. They have no other choice; the cat's truly out of the bag, and every day this unfixed Chromium flaw remains unpatched, millions of users are at heightened risk. This incident demands an immediate and decisive response from the Chromium project maintainers and all browser vendors built on its foundation.
But this incident highlights a deeper, systemic problem within Google's vulnerability management. A "serious vulnerability" sat unpatched for nearly four years, accumulating risk and demonstrating a significant lapse in internal processes. Google's own Project Zero, renowned for its strict 90-day disclosure policy for third-party vulnerabilities, stands in stark contrast to this internal failure. Their internal processes allowed a critical bug in their own flagship product to languish for over 1,200 days.
The paltry $1,000 bug bounty for a flaw of this magnitude, especially one that sat open for so long and was then accidentally disclosed, also feels disproportionate to the actual risk and the effort required by the researcher, underscoring the severity of this unfixed Chromium flaw. It raises questions about how Google values security research into its own products.
A technical oversight of this scale is, at its core, a process failure. It shows a profound disconnect between the internal tracking of a bug's status and its actual remediation and deployment. For users, the takeaway is clear: keep your browsers updated, always, and consider using browsers that offer stronger isolation or different architectural approaches if you are particularly concerned.
For Google and other browser vendors, this should serve as a profound wake-up call to re-evaluate internal vulnerability management workflows, especially the handoff between bug tracking, patching, and public disclosure. The system worked exactly as designed to *mark* the bug fixed, and that's precisely the problem. True security requires not just identifying flaws, but diligently fixing them and ensuring their status is accurately reflected before public exposure. The continued existence of this unfixed Chromium flaw is a stark reminder of that.
