Google Exposes Unfixed Chromium Flaw Allowing Remote Code Execution

Severity: High (Score: 66.0)

Sources: Bleepingcomputer

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: google, accidentally, details, unfixed, chromium, exposed, flaw

Severity indicators: flaw

Summary

Google has inadvertently revealed details of an unfixed vulnerability in Chromium that allows JavaScript to run in the background even after the browser is closed, enabling remote code execution (RCE) on affected devices. This flaw, reported by researcher Lyra Rebane in December 2022, affects all Chromium-based browsers, including Chrome, Edge, and Opera. Attackers can exploit this vulnerability by creating malicious web pages that utilize Service Workers, potentially leading to the formation of a botnet without user awareness. The issue was marked as fixed in February 2026, but subsequent testing revealed that the flaw persists in Chrome Dev and Edge versions. On May 20, 2026, access restrictions on the Chromium Issue Tracker were lifted, exposing the vulnerability details. The researcher confirmed that the exploit remains functional and is now even stealthier, as it no longer triggers a download prompt in Edge. Although the issue was made private again, the exposure of this information raises significant security concerns. Key Points: • A critical unfixed vulnerability in Chromium allows remote code execution. • The flaw affects all Chromium-based browsers, including Chrome and Edge. • The issue remains exploitable despite being marked as fixed earlier this year.

Detailed Analysis

**Impact** All users of Chromium-based browsers—including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc—are affected globally. The vulnerability allows remote code execution (RCE) via persistent JavaScript running in the background after browser closure, enabling attackers to create stealthy botnets for DDoS attacks, proxying malicious traffic, or redirecting users. While no direct access to emails, files, or host OS is granted, the scale of potential exploitation is significant due to the widespread use of affected browsers. **Technical Details** The attack leverages a Service Worker flaw that allows JavaScript to run indefinitely in the background without user interaction, even after closing the browser. Exploitation occurs through a malicious webpage that initiates a never-terminating download task, enabling silent remote code execution. The issue was reported in December 2022, tracked in Chromium Issue Tracker, and marked fixed in February 2026 without an effective patch deployed. No CVE identifiers or specific malware/tool names are provided. The vulnerability affects the persistence and execution stages of the kill chain. **Recommended Response** Defenders should monitor for unusual Service Worker activity and network traffic indicative of persistent background JavaScript execution. Apply any emergency patches Google releases promptly once available. Until a confirmed fix is deployed, restrict or audit browser extensions and Service Worker registrations, and consider user awareness campaigns about visiting untrusted websites. No specific IOCs or detection signatures are provided in the available information.

Source articles (2)

• Google accidentally exposed details of unfixed Chromium flaw — Bleepingcomputer · 2026-05-21
  Google has accidentally leaked details an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. The f…
• Google accidentally exposed details of unfixed Chromium flaw — Bleepingcomputer · 2026-05-21
  Google has accidentally leaked details an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. The f…

Timeline

• 2022-12-01 — Vulnerability reported by Lyra Rebane: Rebane reported a flaw in Chromium that allows JavaScript to run in the background, enabling RCE.
• 2024-10-26 — Google developer flags the issue: A Google developer noted the vulnerability was still open and required a status update due to its severity.
• 2026-02-10 — Issue marked as fixed: The vulnerability was marked as fixed but reopened shortly after due to concerns about the patch.
• 2026-02-12 — Bug bounty awarded: Rebane received a $1,000 bug bounty for reporting the vulnerability, despite the patch not being shipped.
• 2026-05-20 — Access restrictions lifted: All access restrictions on the Chromium Issue Tracker were removed, exposing the vulnerability details.
• 2026-05-21 — Rebane confirms exploit still works: Rebane tested the fix and confirmed the vulnerability persists, allowing silent RCE without user interaction.

Related entities

• Botnet (Attack Type)
• DDoS (Attack Type)
• Zero-day Exploit (Attack Type)
• Google (Company)
• T1059.007 - JavaScript (Mitre Attack)
• T1071 - Application Layer Protocol (Mitre Attack)
• Arc (Platform)
• Brave (Platform)
• Microsoft Edge (Platform)
• Opera (Platform)
• Vivaldi (Platform)
• Google Chrome (Tool)