Medium

Cross-origin data leak in Google Chrome Background Fetch API

IdentifiersCVE-2026-1504CWE-436

CVE-2026-1504 is a high-severity vulnerability in the Background Fetch API implementation in Google Chrome prior to 144.0.7559.110. The issue is described by Google as an inappropriate implementation in Background Fetch and, per the provided advisory content, can be triggered by a crafted HTML page to leak cross-origin data. The flaw affects Chrome’s handling of background data transfers initiated through the Background Fetch API, a feature that allows web applications to continue large downloads after a tab is closed or the user navigates away. While Google has withheld detailed technical specifics, the available information indicates a logic/implementation error that breaks expected origin isolation boundaries during background fetch processing.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to obtain cross-origin data that should not be accessible to the attacker-controlled origin. This is an information disclosure issue affecting browser-enforced origin separation. Depending on the victim’s browsing context and accessible data, exploitation could expose sensitive content associated with other origins. The provided Debian advisory also generically notes possible arbitrary code execution, denial of service, or information disclosure for Chromium updates, but the specific vulnerability information supplied for CVE-2026-1504 supports cross-origin data leakage as the verified impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to untrusted web content. The provided advisory recommends restricting browsing to trusted sites, applying enterprise URL filtering, and isolating browser sessions through sandboxed environments, VDI, or separate browser profiles to reduce the chance that a user visits a crafted HTML page that triggers the flaw. These are temporary risk-reduction measures and not a substitute for updating.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome to version 144.0.7559.110 or later. The provided content states the issue is fixed in Chrome 144.0.7559.109/110, with Windows and macOS receiving 144.0.7559.109 or 144.0.7559.110 and Linux receiving 144.0.7559.109 in the rollout; the advisory specifically recommends upgrading Chrome to 144.0.7559.110 or later. For Debian Chromium, apply the vendor security update by upgrading chromium to 144.0.7559.109-1~deb12u1 on bookworm or 144.0.7559.109-1~deb13u1 on trixie, as applicable.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

the hacker newsNews

Feb 2, 2026

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Unknown (listed as a trending CVE affecting Google Chrome; no technical details provided in the content).

cyber security newsNews

Jan 28, 2026

Chrome Security Update Patches Background Fetch API Vulnerability

A high-severity vulnerability in Google Chrome’s Background Fetch API implementation described as an “inappropriate implementation,” which could allow threat actors to manipulate background fetch operations.

security online infoNews

Jan 28, 2026

Under Attack: Critical Fortinet Auth Bypass (CVE-2026-24858) Exploited in the Wild

Unknown (only referenced as a high-severity Chrome Background Fetch flaw; no details provided in the content).

security online infoNews

Jan 28, 2026

Chrome Patches High-Severity Background Fetch Flaw (CVE-2026-1504)

A high-severity logic/implementation flaw in Google Chrome’s Background Fetch API (background data transfer/download handling) that could potentially be abused by malicious sites to impact user data or browser integrity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-1504

NVD

nvd.nist.gov/vuln/detail/CVE-2026-1504

MITRE CWE · CWE-436

cwe.mitre.org

Release Notes

chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html

Permissions Required

issues.chromium.org/issues/474435504