Google briefly made public the technical details of an unfixed Chromium security flaw that affects Chrome and other Chromium-based browsers including Edge, Brave, Opera, Vivaldi, and Arc. Researcher Lyra Rebane says a malicious website can abuse a Service Worker to keep JavaScript running after the browser is closed, potentially enabling stealthy botnet-style abuse such as proxying traffic or launching distributed denial-of-service attacks; no CVE is listed in the report, and the bug was reportedly marked fixed in tracking systems even though current dev builds still appeared vulnerable.
Why it matters: This matters because simply visiting a malicious site once may be enough to leave a browser doing work in the background without the user's knowledge. Users and defenders should watch for an emergency browser update from Google and other Chromium-based vendors and apply it quickly once available.
Bill Toulas
2026.05.21
100% relevant
This article establishes a new story because it centers on a distinct Chromium flaw whose accidental public exposure increased near-term exploitation risk before a real fix was shipped.
← Back to all stories