By Dan Goodin
Publication Date: 2026-05-20 19:10:00
Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers.
The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.
Unfixed for 29 months (and counting)
The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to…
/cdn.vox-cdn.com/uploads/chorus_asset/file/24016884/STK093_Google_05.jpg?resize=1200,628&ssl=1 "Google inks nuclear deal for next-generation reactors")