Google published proof-of-concept exploit code on May 22, 2026 for a Chromium vulnerability that has gone unpatched for approximately 42 months — accelerating a race between browser vendors and attackers who now have a working exploit blueprint for a flaw that affects every major Chromium-based browser simultaneously with no fix currently available.
The vulnerability was originally reported by researcher Lyra Rebane in late 2022. It remained unpatched and largely obscured until May 20, 2026, when Google accidentally made the bug tracker entry publicly accessible by prematurely removing access controls. Two days later, Google published the PoC code itself.
The Service Worker Persistence Mechanism in Chromium
The vulnerability exists in Chromium’s Browser Fetch API and Service Workers subsystem. Service Workers are a legitimate web platform feature that allows websites to run background scripts handling network requests, push notifications, and offline caching — even when the user is not actively viewing the page. The design intent is that a Service Worker should stop executing when the browser is closed.
The flaw breaks that boundary. A malicious Service Worker can continue executing JavaScript after the browser has been closed. In Microsoft Edge specifically, the persistence extends further: the connection can survive a full system reboot, meaning a single visit to a malicious site can install a background JavaScript execution environment that persists on the victim’s machine indefinitely without any subsequent user interaction.
All Chromium-based browsers share the vulnerability because Service Workers are a core web standard component implemented at the Chromium layer: Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc are all affected. No patch exists for any of them. The 42-month unpatched window spans multiple major Chromium version cycles.
From Single Page Visit to JavaScript Botnet at Scale
Researcher Lyra Rebane’s disclosure describes the attack potential at scale. A malicious site operator does not need the victim to install software, grant permissions, or take any action beyond loading the page. One page visit is sufficient to install the persistent Service Worker. Rebane noted that reaching tens of thousands of pageviews could realistically construct a JavaScript botnet composed of silently-infected browsers, each one becoming a persistent background execution node that survives tab closure, browser restart, and navigation away from the original page.
The capabilities available through persistent background JavaScript access include traffic redirection, DDoS attacks, activity monitoring, and proxy network construction. Unlike traditional botnets that require persistent malware on the host OS, this technique operates entirely within the browser’s execution environment — but persists beyond what browser security models are supposed to allow.
The cross-browser impact amplifies the risk considerably. A vulnerability in a single browser vendor’s implementation could be addressed in isolation. Because this flaw is in Chromium’s core Service Worker implementation, a working exploit published for Chrome is simultaneously a working exploit for every Chromium-based browser. Chromium derivatives collectively hold dominant desktop browser market share, meaning the pool of potentially vulnerable browsers is very large.
The Accidental Disclosure on May 20 and the PoC Publication on May 22
The timeline of how this vulnerability became public matters for understanding the urgency. Lyra Rebane reported the flaw to Google in late 2022. It remained under restricted access in Google’s bug tracker while the 42-month unpatched clock ran. On May 20, 2026, Google prematurely removed the access controls on the bug tracker entry, inadvertently making the technical vulnerability details public.
Google published the PoC exploit code two days later, on May 22. The PoC publication followed the accidental technical disclosure rather than preceded it — Google’s rationale appears to be that once the vulnerability details were publicly accessible, publishing a working PoC brought forward pressure on the patch timeline and allowed the security community to test exposure. However, the result is that anyone with the motivation to develop an exploit now has both the technical details and a working implementation to start from.
What Chrome, Edge, and Brave Users Can Do Before a Patch Is Available
No patch exists for any affected browser as of the May 22 publication date. Browser vendors are aware of the issue and the public PoC will accelerate their patch development timelines, but no timeline has been disclosed.
Users of Chrome, Microsoft Edge, Brave, and other Chromium-based browsers can reduce exposure by auditing installed Service Workers through their browser’s developer tools and removing any associated with sites they did not intentionally visit or no longer use. In Chrome and Chromium-based browsers, Service Workers can be inspected and unregistered via the Application panel in DevTools, or through the browser’s site settings. Regularly clearing site data and storage, including Service Workers, after visiting unfamiliar sites is a practical interim measure.
For organizations managing browser deployments through group policy or enterprise configuration, restricting Service Worker registration to an approved list of domains — or disabling Service Worker functionality entirely where it is not required — removes the attack surface while a patch is developed. The trade-off is loss of functionality for legitimate sites that rely on Service Workers for offline capability or push notifications.
The 42-month gap between original report and public PoC publication represents an unusually long unpatched window for a cross-browser vulnerability with significant abuse potential. With a working exploit now publicly available and no patch on any affected platform, this is a vulnerability that browser vendors will be under significant pressure to close quickly.
