According to Ars Technica, Google released the full exploit code for a critical vulnerability (CVE-2026-1504) in Chromium’s Background Fetch API, in line with Project Zero’s 90-day disclosure policy. This flaw allows attackers to install a persistent Service Worker on a user’s device simply by visiting a malicious webpage; the Service Worker remains active even after a reboot and can be used to monitor network traffic, proxy online activities, or turn the device into part of a DDoS botnet—all without requiring any further user interaction. Google has since issued a fix via version 144.0.7559.110, and the researcher responsible was awarded a $3,000 bounty.
The controversy arises because Microsoft Edge and numerous third-party Chromium-based browsers hadn’t yet rolled out patches when Google made the exploit public. Since enterprise-managed browser deployments typically require longer timeframes for updates, many users remained exposed to risk until patches became available. This incident has reignited industry debate over whether exploit details should be disclosed prior to full ecosystem-wide patching: proponents argue such transparency pressures vendors to act swiftly, while critics fear it provides attackers with ready-made tools. Users of Chromium-based browsers other than Chrome are advised to promptly verify their browser versions and manually check for updates.