A zero-day vulnerability in **Chromium**, the open-source project behind **Google Chrome**, **Microsoft Edge**, and other popular browsers, has been accidentally exposed by **Google**. The flaw, reported by security researcher **Lyra Rebane**, allows JavaScript code to continue running in the background even after the browser is closed, potentially enabling remote code execution (RCE) on affected devices. ### The Vulnerability The vulnerability, acknowledged as valid in December 2022, stems from a flaw in how **Chromium** handles Service Workers. An attacker could exploit this by creating a malicious webpage with a Service Worker, such as a never-ending download task, that persists even after the browser is closed. **Rebane** explains that this could allow attackers to execute arbitrary JavaScript code on visitors' devices, effectively turning them into unwilling members of a botnet. "It's realistic to get tens of thousands of pageviews for creating a 'botnet', and people won't be aware that JavaScript can be remotely executed on their device," **Rebane** stated in the original bug report. Potential exploitation scenarios include launching distributed denial-of-service (DDoS) attacks, proxying malicious traffic, and redirecting traffic to target sites. ### Widespread Impact The issue affects all **Chromium**-based browsers, including **Google Chrome**, **Microsoft Edge**, **Brave**, **Opera**, **Vivaldi**, and **Arc**. This broad impact significantly increases the potential attack surface. ### A Persistent Problem Despite being reported in 2022, the issue remained unresolved. On October 26, 2024, a **Google** developer noted the severity of the vulnerability and requested a status update. The bug was briefly marked as fixed on February 10th of this year but was quickly reopened due to unresolved concerns. It was then marked as fixed again on February 12th, although a patch was never shipped. **Rebane** received a bug bounty of $1,000 through the **Chrome** Vulnerability Rewards Program (VRP). However, after the bug was closed for more than 14 weeks and marked as fixed, access restrictions on the **Chromium** Issue Tracker were removed on May 20th. Upon retesting, **Rebane** discovered that the vulnerability was still present in **Chrome Dev 150** and **Edge 148**. The researcher highlighted the issue in a post, stating: > “Back in 2022, I found a bug that would let me, with no user interaction, turn any **Chromium**-based browser into a permanent JS botnet member,” the <a rel="nofollow noopener" href="https://infosec.exchange/@rebane2001/116606719764376414">researcher said</a> in a post yesterday. > “In Edge, you wouldn't even notice anything out of place, and would stay connected to the C2 even after closing the browser.” ### Stealthier Exploitation Making matters worse, the download prompt that previously appeared when triggering the exploit no longer appears in the latest version of **Edge**, making the exploit even more stealthy. > “OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS,” <a rel="nofollow noopener" href="https://infosec.exchange/@rebane2001/116606836889483917">posted Rebane on Mastodon</a>. > “Even worse, Edge no longer even makes the download menu pop up, so it's completely silent JS RCE that keeps running even after you close the browser !! all from just visiting a single website once !!” ### Accidental Disclosure and Potential Impact Although the issue was quickly made private again, the exposure was enough for the information to leak. **Rebane** <a rel="nofollow noopener" href="https://arstechnica.com/security/2026/05/google-publishes-exploit-code-threatening-millions-of-chromium-users/">told Ars Technica</a> that **Google’s** exposure would make exploitation “pretty easy,” although scaling it into a large botnet is more complicated. She clarified that the bug does not bypass browser security boundaries and doesn’t grant attackers access to emails, files, or the host OS. Given the leaked details, the risk to a large number of users is significant. **Google** is expected to treat this as urgent and release emergency fixes soon. BleepingComputer has reached out to **Google** for comment but has not yet received a response. <div><p><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0"><img alt="article image" src="https://www.bleepstatic.com/c/p/validation-gap.jpg"></a></p><div> <h2><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0">The Validation Gap: Automated Pentesting Answers One Question. You Need Six.</a></h2> <p>Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.</p> <p>This guide covers the 6 surfaces you actually need to validate.</p> <p><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0">Download Now</a></p> </div></div>