Chromium Flaws Expose Browsers to Persistent Abuse and Session Theft
A serious unpatched Chromium vulnerability was accidentally exposed after Google engineers marked the issue as fixed without shipping a patch, causing the bug report and proof-of-concept to become public. The flaw, originally reported in 2022, abuses the Background Fetch API to keep a Service Worker and malicious JavaScript running after the browser is closed and, in some cases, even after a device reboot. Affected products include Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. The bug could let attackers abuse victims’ browsers for proxying traffic, launching DDoS activity, opening websites, and tracking user behavior; Google later re-hid the report and said it is working on a fix.
Separately, researchers analyzing the VoidStealer infostealer found it can bypass Chrome’s Application-Bound Encryption (ABE) on Windows by attaching to the browser as a debugger, intercepting the moment Chrome decrypts protected data, and extracting the master key from memory. That technique enables theft of cookies, sessions, and other sensitive browser data, and the risk extends to other Chromium-based browsers using the same protection model. Together, the disclosures show that Chromium ecosystems face both browser-level persistence abuse and post-compromise data theft, with defenders urged to watch for unusual download-menu behavior, keep browsers updated as fixes arrive, and harden endpoints against infostealer activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Kaspersky researchers disclose Qualcomm BootROM flaw at Black Hat Asia 2026
Kaspersky ICS CERT researchers Alexander Kozlov and Sergey Anufrienko publicly disclosed the Qualcomm BootROM vulnerability CVE-2026-25262 at Black Hat Asia 2026. They described it as a write-what-where flaw in the Sahara protocol that can enable arbitrary memory writes before the operating system loads.
Google re-hides Chromium report and says a fix is in progress
Google later re-restricted access to the accidentally disclosed Chromium vulnerability report and acknowledged awareness of the exposure. The company said it was working on a fix for the issue.
Kaspersky reports VoidStealer bypass of Chrome ABE protections
Kaspersky described a new data-theft technique used by the VoidStealer infostealer to bypass Chrome's Application-Bound Encryption by attaching as a debugger and extracting the master key from memory. The report warned that the Malware-as-a-Service model could spread the technique broadly across Chromium-based browsers.
Qualcomm references CVE-2026-25262 in its May 2026 bulletin
Qualcomm included CVE-2026-25262 in its May 2026 security bulletin. Because the flaw resides in immutable BootROM, already shipped devices cannot be fully remediated and only mitigations are possible.
Chromium issue tracker accidentally exposes bug details and PoC
After the bug was marked fixed, the Chromium Issue Tracker automatically made the report public after 14 weeks, exposing technical details and a proof-of-concept exploit for the still-unpatched vulnerability. The disclosure affected Chromium-based browsers including Chrome, Edge, Brave, Opera, Vivaldi, and Arc.
Chromium bug is marked fixed without a released patch
Chromium developers reportedly marked the long-unpatched Background Fetch vulnerability as fixed in February 2026, but no patch had actually been released to users. This status later contributed to the issue tracker automatically exposing the report.
Qualcomm is notified of BootROM vulnerability CVE-2026-25262
Kaspersky ICS CERT researchers notified Qualcomm in March 2025 about a BootROM vulnerability in the Sahara protocol used in Emergency Download Mode. Qualcomm confirmed the issue and assigned it CVE-2026-25262.
Google introduces Chrome Application-Bound Encryption on Windows
Google added Application-Bound Encryption (ABE) in Chrome 127 to better protect cookies and other sensitive browser data on Windows from infostealers. The protection was introduced in July 2024 and later adopted by other Chromium-based browsers using the same approach.
Researcher Lyra Rebane discovers Chromium Background Fetch flaw
Independent researcher Lyra Rebane discovered a Chromium vulnerability in late 2022 involving the Background Fetch API. The flaw could keep a Service Worker and malicious JavaScript running after the browser was closed and sometimes even after a reboot.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Разбираем новую уязвимость чипов Qualcomm | Блог Касперского
kaspersky.ru
Open sourceСпециалисты Google случайно опубликовали эксплоит для неисправленной уязвимости - Хакер
xakep.ru
Open sourceКак VoidStealer обходит защиту Chrome и ворует сессии и данные | Блог Касперского
kaspersky.ru
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Exposed an Unpatched Chromium Browser Backdoor While Shipping Chrome Fixes
Google publicly released proof-of-concept exploit code for a long-unfixed Chromium vulnerability in the Browser Fetch API, exposing Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers to abuse by any malicious website a user visits. Researcher **Lyra Rebane** reported the flaw in late 2022, but it remained unresolved for years despite being internally classified as serious. The bug lets an attacker register a Service Worker and create a background fetch task that can persist as a covert communication channel, enabling browser monitoring, anonymous proxying, traffic redirection, and potential browser-based botnets; some implementations reportedly keep the connection alive even after the browser closes or the device reboots. At the same time, Google issued Chrome Stable Channel updates for versions before `148.0.7778.178/179`, and government and vulnerability trackers highlighted multiple newly disclosed flaws fixed in that release. Those included `CVE-2026-9120`, a high-severity WebRTC use-after-free that could allow remote code execution in the browser sandbox via a crafted HTML page; `CVE-2026-9126`, a DOM use-after-free with similar impact; and `CVE-2026-9121`, a GPU out-of-bounds read that could lead to heap corruption. The contrast between patched Chrome memory-corruption bugs and the still-unfixed Browser Fetch issue raised concern because the published exploit code lowers the barrier to abuse across millions of Chromium users, prompting recommendations to restrict Service Worker use, disable background fetch where possible, monitor outbound browser traffic, and consider browser isolation in enterprise environments.
Jun 8, 2026
Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk. Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
Mar 21, 2026
Google Chrome and Chromium Browsers Patched for Multiple Security Vulnerabilities Including WebXR Data Leak
Google has released a security update for its Chrome browser, addressing 13 vulnerabilities, four of which are rated high severity. Among the most notable is a use-after-free flaw in the Digital Credentials feature (CVE-2025-13633), which could allow remote attackers to exploit affected systems. The update brings Chrome to version 143.0.7499.40/.41 for Windows and macOS, and 143.0.7499.40 for Linux, and users are strongly advised to update promptly to mitigate risk, as attackers often exploit such vulnerabilities before widespread patch adoption. In addition to the Digital Credentials issue, a significant data leak vulnerability was discovered in the WebXR component (CVE-2025-12443), affecting all major Chromium-based browsers, including Chrome, Edge, Brave, and Opera. The flaw, which could expose heap memory and pointer data, required user interaction with a malicious page to be exploited. Google responded rapidly to the responsible disclosure, issuing a fix within 24 hours and updating the stable Chrome release within two weeks. Users of all Chromium-based browsers are urged to update to the latest versions to ensure protection against these and other recently patched vulnerabilities.
Mar 21, 2026