Google publishes exploit code for an unfixed Chromium bug

Google has published exploit code for an unfixed Chromium vulnerability, exposing millions of users of Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, and other Chromium-based browsers to a risk that security researchers say should have remained private until a patch was ready. Ars Technica reported that the bug affects the Browser Fetch interface and can be abused by a malicious website to maintain a persistent service worker connection even after a browser or device restarts.

This clears the threshold for a serious security story because it combines two problems at once: a long-unfixed browser flaw and public proof-of-concept code that lowers the barrier to abuse. According to Ars Technica, the researcher who reported the issue privately in late 2022 said the published exploit would be fairly easy to use, even if operating it at large scale would still take work. That is exactly the kind of disclosure gap that can turn a niche browser bug into a broader operational risk.

The reported impact is not full device takeover, but it is still substantial. The exploit can reportedly turn the browser into a limited proxy, help launch denial-of-service traffic, and reveal some patterns of browser activity. Because any visited website could potentially trigger the abuse, the attack surface is unusually wide. Firefox and Safari are unaffected because they do not support the same background-fetch feature, but the Chromium ecosystem is large enough that the risk still spans a huge share of desktop browsing.

The timeline makes the story more concerning. Ars says the vulnerability was reported 29 months ago, received a high-severity S1 rating inside Chromium discussions, and remained unpatched when the proof-of-concept was posted publicly. Although Google later removed the disclosure, copies reportedly remain on archival sites. That means defenders no longer control the information flow. Attackers, researchers, and incident responders are now working from roughly the same starting point while users still wait for a fix.

The practical implication for organizations is that browser hardening can no longer be treated as a lightweight endpoint issue. Enterprises that rely heavily on Chromium-based browsers may need to watch for unexplained download UI behavior, restrict risky browsing contexts, and follow vendor updates closely over the next few days. This is also another reminder that browser security debt can sit for years in lightly used features before suddenly becoming urgent.

Until Google and Chromium vendors ship a patch, the story is less about panic than about exposure management. Public exploit code changes the risk equation immediately. Once that code is out, every day without a fix matters more.