Chromium JavaScript background RCE flaw
Vulnerability
Summary
Hide ▲
Show ▼
The unfixed Chromium flaw keeps JavaScript running after the browser is closed, creating remote code execution risk across Chromium-based browsers. A malicious site can abuse a Service Worker that never terminates, potentially turning a single visit into persistent background execution. The issue was already acknowledged as valid in December 2022, yet it was still reproducible in Chrome Dev 150 and Edge 148 when retested on May 20. Because the leaked details describe a workable path to silent browser compromise, exposure could make abuse much easier.
Related Happenings
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
Vulnerability
First: 01.04.2026 13:25
Last: 01.04.2026 13:25
Sources 1
About this happening:
**Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
VulnerabilityAbout this happening: **Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Chrome Skia and V8 exploited zero-days (multiple vulnerabilities)
Vulnerability
First: 13.03.2026 11:17
Last: 13.03.2026 11:17
Sources 1
About this happening:
**Chrome** on **Windows, macOS, and Linux** is affected by two **high-severity zero-days**, **CVE-2026-3909** and **CVE-2026-3910**, that Google says were **exploited in the wild*...
Chrome Skia and V8 exploited zero-days (multiple vulnerabilities)
VulnerabilityAbout this happening: **Chrome** on **Windows, macOS, and Linux** is affected by two **high-severity zero-days**, **CVE-2026-3909** and **CVE-2026-3910**, that Google says were **exploited in the wild*...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical Analysis
First: 11.03.2026 18:38
Last: 11.03.2026 18:38
Sources 1
About this happening:
**Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical AnalysisAbout this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
QuickLens and ShotBird malicious Chrome extension update chain
Malware Activity
First: 09.03.2026 12:28
Last: 09.03.2026 12:28
Sources 1
About this happening:
The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...
QuickLens and ShotBird malicious Chrome extension update chain
Malware ActivityAbout this happening: The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...
Google Gemini AI in Chrome privilege escalation flaw (CVE-2026-0628)
Vulnerability
First: 02.03.2026 12:27
Last: 02.03.2026 12:27
Sources 1
About this happening:
**Google** has fixed **CVE-2026-0628** in **Gemini AI in Chrome**, a high-severity flaw that let a malicious extension hijack the privileged Gemini side panel and expose user priv...
Google Gemini AI in Chrome privilege escalation flaw (CVE-2026-0628)
VulnerabilityAbout this happening: **Google** has fixed **CVE-2026-0628** in **Gemini AI in Chrome**, a high-severity flaw that let a malicious extension hijack the privileged Gemini side panel and expose user priv...
Latest development: 02.03.2026 19:08
Palo Alto Networks Unit 42 researcher Gal Weizman discovered and reported CVE-2026-0628 in Google Chrome on November 23, 2025, identifying insufficient policy enforcement in the WebView tag that could let a malicious extension inject scripts or HTML into a privileged page and seize control of the Gemini Live panel.
Timeline
-
21.05.2026 21:13 1 articles · 6d ago
Initial report: Chromium JavaScript background RCE flaw
Initial DisclosureIn **December 2022**, Chromium maintainers validated a background-execution flaw that could keep a Service Worker alive after the browser was closed. By **May 20**, retesting showed the behavior still worked in **Chrome Dev 150** and **Edge 148**, indicating the weakness had not been fully fixed.
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13