For three years, Google has known about a critical Chromium vulnerability that lets malicious code keep running even after you close your browser. Last week, they accidentally leaked the technical details to the public. The fix? Still nowhere in sight.

Key Takeaways

  • Google accidentally exposed details of an unpatched Chromium JavaScript background vulnerability
  • The flaw allows attackers to execute code remotely through malicious Service Workers
  • The vulnerability was reported in December 2022 but remains unfixed over three years later

The Leak That Shouldn't Have Happened

Security researcher Lyra Rebane reported this vulnerability through proper channels in December 2022. Google acknowledged it as valid in the Chromium Issue Tracker. Then, according to BleepingComputer, Google inadvertently made the technical exploitation details public before implementing any fix.

The vulnerability is straightforward but dangerous: JavaScript processes continue running in the background even after users close their browsers. An attacker can exploit this by creating a malicious webpage with a Service Worker—like a fake download task—that never properly terminates when the browser shuts down.

a white google logo on a green background
Photo by Rubaitul Azad / Unsplash

This isn't just a theoretical problem. The persistent background execution creates a direct pathway for remote code execution on affected devices. Since Chromium powers Google Chrome and dozens of other browsers, the scope of potentially affected users runs into the billions.

What Most Coverage Misses

The real story here isn't just another browser vulnerability. It's about what happens when responsible disclosure meets institutional inertia.

Over two years between acknowledgment and present day (December 2022 to 2025) for a critical security flaw. Most browser vulnerabilities get patched within weeks or months of discovery. This suggests either unusual technical complexity or a fundamental disagreement within Google about the severity or feasibility of a fix.

The accidental disclosure makes this worse in a specific way: malicious actors now have exploitation details while users remain defenseless. It's the security equivalent of publishing your house key's shape while your door lock is still broken.

For enterprise environments, this creates a particularly thorny problem. Background processes that persist after browser closure can potentially monitor user activity, access system resources, or serve as launching points for additional attacks—all while IT administrators believe their users' browsing sessions have ended.

The Questions Google Isn't Answering

Available reports don't explain how Google accidentally disclosed the vulnerability details, or through which channel the leak occurred. The company hasn't specified which Chromium derivatives beyond Chrome are affected, nor whether mobile browsers face the same risk.

More importantly, Google hasn't provided a timeline for implementing a fix or offered interim mitigation guidance for users and organizations. After three years of awareness and now public exposure, the silence around next steps is becoming its own story.

The technical specifics—which Service Worker functions are vulnerable and what conditions enable successful exploitation—remain unclear in current reporting.

What Security Teams Should Do Now

Monitor Google's official security bulletins and the Chromium Issue Tracker for patch announcements. Organizations should review their browser security policies and consider network-level protections while waiting for a fix.

Security teams should watch for exploitation attempts targeting background Service Worker processes. Public disclosure typically triggers increased scanning and attack attempts from malicious actors.

The next few weeks will show whether Google treats this as the emergency it has become, or whether users will be waiting for year four of an acknowledged, exploitable, and now publicly documented security flaw.