Google releases Chromium Fetch API exploit code
Key insights
- CVE-2026-1504 lets any malicious webpage silently install a persistent service worker requiring zero user interaction beyond the visit.
- The service worker survives both browser and device reboots, enabling long-term traffic monitoring or use as a DoS proxy.
- Chrome 144.0.7559.110 patches the flaw, but Edge and other Chromium-based browsers follow independent update schedules.
Why this matters
Every enterprise running Edge or a Chromium-based internal browser faces a patch-lag window during which a single employee visiting a malicious page can hand attackers a persistent, reboot-surviving network proxy inside the corporate perimeter. Google's decision to publish working exploit code before confirming broad ecosystem patching compresses that window into an active exploitation race, not a theoretical risk. For AI practitioners building on Electron or embedding Chromium webviews in products, the vulnerability extends beyond end-user browsers into application surfaces that have no automatic update path.
Summary
Google published working proof-of-concept exploit code for CVE-2026-1504, a vulnerability inside Chromium's Browser Fetch API that puts Chrome, Edge, and every Chromium-derived browser at risk.
The attack requires no user interaction beyond a single page visit. A malicious site installs a persistent service worker that survives browser restarts and full device reboots, then silently monitors outbound traffic or conscripts the machine as a DoS proxy with no visible footprint.
Essentially: Google (as Chromium maintainer) released functional exploit code while Microsoft Edge and third-party Chromium browsers were still unpatched.
- CVE-2026-1504 triggers on page load alone, no clicks or permissions required.
- The service worker persists through reboots, bypassing session-based cleanup that most users rely on.
- Chrome 144.0.7559.110 carries the fix; Edge and other Chromium forks operate on separate release cadences.
The interval between Google's public exploit drop and full ecosystem patching is precisely the window attackers will exploit.
Potential risks and opportunities
Risks
- Enterprise fleets running Edge under managed update policies could remain unpatched for weeks, giving attackers a persistent proxy foothold inside corporate networks with traffic indistinguishable from normal browsing
- Electron-based applications (Slack, VS Code, many SaaS desktop clients) embed Chromium and may carry CVE-2026-1504 with no automatic update path tied to Chrome's release cycle
- Google's public exploit release before full ecosystem patching creates a named, reproducible attack primitive that lowers the barrier for mass exploitation campaigns targeting the broad Chromium install base
Opportunities
- Enterprise browser vendors (Island Enterprise Browser, Talon) can accelerate sales cycles by offering centrally managed patch deployment that bypasses the Chrome/Edge cadence gap
- Endpoint detection vendors (CrowdStrike, SentinelOne) can ship service worker persistence detection signatures now to cover the patching lag across Chromium-based browsers and Electron apps
- Browser security monitoring startups (SquareX) can position persistent service worker visibility as a concrete, CVE-backed differentiator for security teams evaluating browser isolation tools in the next 30 days
What we don't know yet
- Whether Microsoft Edge has shipped a patched build equivalent to Chrome 144.0.7559.110 as of the disclosure date, and if not, the confirmed timeline
- How long Google held the working exploit internally before publishing -- specifically whether the gap created an asymmetric window for threat actors with prior access to the bug
- Which major Chromium forks (Brave, Opera, Samsung Internet, Electron) have issued patches and on what release cadence, leaving users exposed in the interim
Originally reported by arstechnica.com
Read the original article →Original headline: Google Publishes Exploit Code for Unfixed Chromium Browser Fetch API Flaw Threatening Millions of Chrome and Edge Users