Unpatched Chromium Service Worker persistence flaw exposed in tracker

First reported

21.05.2026 21:13

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A persistent Service Worker flaw in Chromium-based browsers allowed JavaScript execution to continue running in the background after browser closure, enabling remote code execution (RCE) on devices. The vulnerability was reported in December 2022 and remained unpatched despite being marked as fixed in February 2026. Google inadvertently exposed technical details in the Chromium Issue Tracker for 14 weeks, increasing the risk of exploitation. Affected browsers include Chrome, Edge, Brave, Opera, Vivaldi, and Arc.

Timeline

21.05.2026 21:13 1 articles · 2h ago

Chromium Service Worker persistence flaw details exposed in public tracker for 14 weeks
Google accidentally published technical details of an unfixed Chromium Service Worker persistence flaw in the public Chromium Issue Tracker on May 20, 2026. The issue, originally reported in December 2022, was marked as fixed in February 2026 but remained unpatched. The exposure increased the risk of exploitation, including silent JavaScript RCE and botnet recruitment, before the details were re-privatized on May 21, 2026.
Show sources

Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
Open in new tab

Information Snippets

The flaw enables a malicious webpage to deploy a Service Worker that remains active even after the browser is closed, executing JavaScript code on the visitor's device.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
Reported by security researcher Lyra Rebane and acknowledged as valid in December 2022.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
Google marked the issue as fixed on February 12, 2026, but a patch had not been deployed at the time.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
Technical details were publicly exposed in the Chromium Issue Tracker from May 20 to May 21, 2026, following removal of access restrictions.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
Exploitation could facilitate distributed denial-of-service (DDoS) attacks, malicious traffic proxying, and arbitrary redirection to target sites.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
The issue impacts all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13
In Edge, the exploit operates silently without user interaction or download prompts, maintaining persistence after browser closure.
First reported: 21.05.2026 21:13

1 source, 1 article
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13

Summary

Timeline

Chromium Service Worker persistence flaw details exposed in public tracker for 14 weeks

Information Snippets