Google Exposed an Unpatched Chromium Browser Backdoor While Shipping Chrome Fixes
Google publicly released proof-of-concept exploit code for a long-unfixed Chromium vulnerability in the Browser Fetch API, exposing Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers to abuse by any malicious website a user visits. Researcher Lyra Rebane reported the flaw in late 2022, but it remained unresolved for years despite being internally classified as serious. The bug lets an attacker register a Service Worker and create a background fetch task that can persist as a covert communication channel, enabling browser monitoring, anonymous proxying, traffic redirection, and potential browser-based botnets; some implementations reportedly keep the connection alive even after the browser closes or the device reboots.
At the same time, Google issued Chrome Stable Channel updates for versions before 148.0.7778.178/179, and government and vulnerability trackers highlighted multiple newly disclosed flaws fixed in that release. Those included CVE-2026-9120, a high-severity WebRTC use-after-free that could allow remote code execution in the browser sandbox via a crafted HTML page; CVE-2026-9126, a DOM use-after-free with similar impact; and CVE-2026-9121, a GPU out-of-bounds read that could lead to heap corruption. The contrast between patched Chrome memory-corruption bugs and the still-unfixed Browser Fetch issue raised concern because the published exploit code lowers the barrier to abuse across millions of Chromium users, prompting recommendations to restrict Service Worker use, disable background fetch where possible, monitor outbound browser traffic, and consider browser isolation in enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Google publishes PoC exploit code for unfixed Chromium flaw
Google publicly released proof-of-concept exploit code for an unfixed Chromium Browser Fetch API vulnerability in May 2026. The disclosure exposed a flaw affecting Chrome, Edge, and other Chromium-based browsers that could be abused for persistent communications, proxying, botnet activity, and denial-of-service operations.
Researcher privately reports Chromium Browser Fetch API flaw to Google
Independent researcher Lyra Rebane privately reported a Browser Fetch API vulnerability in Chromium to Google in late 2022. The flaw could let malicious sites create persistent background connections for monitoring, proxying, or denial-of-service activity.
CVE-2026-9126 recorded for Chrome DOM use-after-free
CVE-2026-9126 was recorded on May 20, 2026 as a use-after-free flaw in Chrome's DOM component. The issue affects versions prior to 148.0.7778.179 and could allow arbitrary code execution inside the browser sandbox through a crafted HTML page.
CVE-2026-9121 recorded for Chrome GPU out-of-bounds read
CVE-2026-9121 was recorded on May 20, 2026 for an out-of-bounds read in Chrome's GPU component affecting versions prior to 148.0.7778.179. Successful exploitation via a crafted HTML page could potentially lead to heap corruption.
CVE-2026-9120 disclosed for Chrome WebRTC use-after-free
CVE-2026-9120 was disclosed on May 20, 2026 as a high-severity use-after-free vulnerability in Chrome's WebRTC component. It affects Chrome versions prior to 148.0.7778.179 and could allow remote code execution via a crafted HTML page.
Google publishes Chrome Stable Channel security advisory
Google published a security advisory on May 19, 2026 for Chrome Stable Channel Desktop releases. The advisory addressed vulnerabilities affecting versions prior to 148.0.7778.178/179 on Windows and Mac and prior to 148.0.7778.178 on Linux.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users
cybersecuritynews.com
Open sourceGoogle publishes exploit code threatening millions of Chromium users - Ars Technica
arstechnica.com
Open sourceGoogle Chrome security advisory (AV26-486) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-9126 - Google Chrome Use After Free in DOM Medium Severity Vulnerability
cvefeed.io
Open sourceCVE-2026-9120 - Google Chrome WebRTC Use-After-Free Remote Code Execution Vulnerability
cvefeed.io
Open sourceCVE-2026-9121 - Google Chrome GPU Out-of-Bounds Read Heap Corruption
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chromium Flaws Expose Browsers to Persistent Abuse and Session Theft
A serious unpatched **Chromium** vulnerability was accidentally exposed after Google engineers marked the issue as fixed without shipping a patch, causing the bug report and proof-of-concept to become public. The flaw, originally reported in 2022, abuses the **Background Fetch API** to keep a Service Worker and malicious JavaScript running after the browser is closed and, in some cases, even after a device reboot. Affected products include **Chrome**, **Microsoft Edge**, **Brave**, **Opera**, **Vivaldi**, and **Arc**. The bug could let attackers abuse victims’ browsers for proxying traffic, launching DDoS activity, opening websites, and tracking user behavior; Google later re-hid the report and said it is working on a fix. Separately, researchers analyzing the **VoidStealer** infostealer found it can bypass Chrome’s **Application-Bound Encryption (ABE)** on Windows by attaching to the browser as a debugger, intercepting the moment Chrome decrypts protected data, and extracting the master key from memory. That technique enables theft of cookies, sessions, and other sensitive browser data, and the risk extends to other Chromium-based browsers using the same protection model. Together, the disclosures show that Chromium ecosystems face both browser-level persistence abuse and post-compromise data theft, with defenders urged to watch for unusual download-menu behavior, keep browsers updated as fixes arrive, and harden endpoints against infostealer activity.
May 24, 2026
Google Chrome and Chromium Browsers Patched for Multiple Security Vulnerabilities Including WebXR Data Leak
Google has released a security update for its Chrome browser, addressing 13 vulnerabilities, four of which are rated high severity. Among the most notable is a use-after-free flaw in the Digital Credentials feature (CVE-2025-13633), which could allow remote attackers to exploit affected systems. The update brings Chrome to version 143.0.7499.40/.41 for Windows and macOS, and 143.0.7499.40 for Linux, and users are strongly advised to update promptly to mitigate risk, as attackers often exploit such vulnerabilities before widespread patch adoption. In addition to the Digital Credentials issue, a significant data leak vulnerability was discovered in the WebXR component (CVE-2025-12443), affecting all major Chromium-based browsers, including Chrome, Edge, Brave, and Opera. The flaw, which could expose heap memory and pointer data, required user interaction with a malicious page to be exploited. Google responded rapidly to the responsible disclosure, issuing a fix within 24 hours and updating the stable Chrome release within two weeks. Users of all Chromium-based browsers are urged to update to the latest versions to ensure protection against these and other recently patched vulnerabilities.
Mar 21, 2026
Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk. Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
Mar 21, 2026