Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers to stealthy botnet-style abuse.
The vulnerability was originally reported in late 2022 by independent security researcher Lyra Rebane and remains unpatched more than 42 months later.
It carries a Priority 1 (P1) rating, indicating high urgency and a Severity 2 (S2) classification, marking it as a serious issue within Chromium’s internal vulnerability framework.
The vulnerability lies in the Browser Fetch API, a feature that allows large downloads, such as videos or files, to continue processing in the background via Service Workers.
Rebane discovered that this mechanism can be weaponized to spawn persistent, never-terminating background tasks that maintain continuous communication with attacker-controlled infrastructure.
By exploiting this behavior, threat actors can establish a covert channel between a victim’s browser and a command-and-control (C2) server.
In certain implementations, notably Microsoft Edge, this connection can persist even after the browser is closed or the device is rebooted, dramatically expanding the attack surface, CSN said.
The result effectively transforms an ordinary browser into a limited botnet node, requiring zero user interaction beyond a single website visit.
The attack vector is deceptively simple. A user visiting any malicious or compromised webpage can be silently enrolled into a browser-based botnet. According to Rebane’s disclosure, the attack chain works as follows:
“It’s realistic to get tens of thousands of pageviews for creating a ‘botnet,’ and users won’t be aware that JavaScript can be remotely executed on their device,” Rebane stated in the original report.
While browser sandboxing limits the exploit’s immediate scope, the risk at scale remains significant. Documented abuse scenarios include:
Rebane also warned that the real long-term risk lies in exploiting a pre-established botnet of compromised browsers, which could serve as a ready-made launchpad once additional vulnerabilities are discovered.
Google’s decision to release PoC code before issuing a fix has drawn criticism from the security community. Multiple Chromium developers acknowledged the flaw as a “serious vulnerability” in the issue tracker, yet no complete remediation has been deployed.
With the PoC publicly available, Rebane noted that exploitation is now “pretty easy,” though scaling an operation would require additional infrastructure investment from threat actors.
Until an official patch is released, security teams should take these defensive steps:
With public exploit code circulating and no patch on the horizon, this vulnerability presents an active, exploitable window of opportunity for threat actors pursuing large-scale, browser-based botnet infrastructure.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Google Publishes Exploit Code for Unfixed Chromium Vulnerability appeared first on Cyber Security News.
Forza Horizon 6 for PC and Xbox was released on May 19. This is the…
Tom Hardy may not return for MobLand Season 3 after reportedly butting heads with cast…
Heading into Memorial Day weekend, there are some incredible deals on tons of video games…
If you're an iPhone user, then don't miss this opportunity to pick up a pair…
LEGO produces a lot of new sets each month, with more and more of these…
Tension: The businesses that depend on the post office and the post office itself agree…
This website uses cookies.