Cybersecurity May 22, 2026 · 4 min read

Google Accidentally Reveals Its Own Unfixed Chromium Zero-Day — Your Browser Closes, the JavaScript Doesn’t, and the Bug Report Leaked Itself

🤚 The Open-Palm Disclosure

In a move that absolutely no one at Google’s security team would describe as “optimal,” Google accidentally revealed the full details of an unfixed Chromium vulnerability after the Chromium Issue Tracker automatically removed access restrictions on May 20, 2026. The bug had been marked as “fixed” for over 14 weeks — the standard threshold for public disclosure — except for the small, inconvenient detail that it was not actually fixed.

The vulnerability, originally reported by security researcher Lyra Rebane all the way back in December 2022, allows malicious JavaScript to continue executing in the background after a user closes their browser entirely. The mechanism exploits Service Workers — specifically, a malicious webpage spawns a download task that never terminates, keeping the browser process alive like a cockroach in a nuclear winter.

Here’s what we know:

  • Every Chromium-based browser is affected: Chrome, Edge, Brave, Opera, Vivaldi, and Arc
  • The exploit requires no user interaction beyond visiting a webpage
  • On Microsoft Edge, no download notification appears at all — complete stealth
  • Attackers could use it for DDoS attacks, botnet creation, malicious traffic proxying, and arbitrary traffic redirection
  • Google marked the bug as “fixed” on February 12, 2026, but testing revealed the exploit still worked in Chrome Dev 150 and Edge 148

👐 The Two-Handed Paradox of Responsible Disclosure

Let us pause and appreciate the full architectural comedy of this situation. Google, the company that invented the concept of a 90-day vulnerability disclosure deadline and has spent decades pressuring other vendors to patch faster, just had its own automated system leak its own unfixed vulnerability to the public. The Chromium Issue Tracker — built by Google, maintained by Google, configured by Google — decided that 14 weeks of silence was quite enough, thank you, and proceeded to tell the internet everything.

The irony here is structural. Google’s disclosure automation was designed to shame companies like Microsoft and Apple into faster patching by threatening public exposure. And now that same mechanism has turned around and done its job perfectly — against Google itself. The system worked exactly as intended. The system is also the problem.

And then there’s the timeline. Lyra Rebane reported this flaw in December 2022. That’s three and a half years of a vulnerability sitting in the queue like a library book nobody checked out. Google marked it “fixed” in February 2026, apparently without verifying that it was, in fact, fixed. The browser closed. The JavaScript did not. Neither, it turns out, did the bug.

🌿 The Gentle Awakening

There is something deeply philosophical about a browser that keeps running after you close it. We have all, at some point, felt that our technology does not respect our decisions. We tell our phones to stop tracking us. We tell our smart speakers to stop listening. We close the browser and walk away from the screen, believing — hoping — that the conversation is over.

It is not over. It was never over. The JavaScript is still running. The download that never finishes is still downloading. And somewhere, a Service Worker is whispering into the void of your CPU cycles, doing things you did not authorize and will never know about.

As Rebane herself noted, it is “realistic to get tens of thousands of pageviews” for building a botnet this way. You don’t need malware. You don’t need a phishing email. You just need someone to visit a webpage, and their machine becomes yours — even after they leave. Especially after they leave.

👑 The Gold-Leaf Reckoning

The broader lesson here is one the security industry has been trying to teach for years but keeps learning anew: closing a bug report is not the same as fixing a bug. Google’s own verification process failed. Its own automation leaked the failure. And now every Chromium-based browser on the planet — which is to say, nearly every browser on the planet — is exposed to a flaw that has been known about since the year ChatGPT launched.

Google will “most likely treat this as urgent,” according to reports, which is a charitable way of saying they will now do in a week what they failed to do in three and a half years. Emergency patches are expected for Chrome and, presumably, the downstream browsers will follow. But the damage to the disclosure process itself may be harder to patch.

Because the next time Google shows up at Microsoft’s door with a 90-day countdown clock, Redmond can simply smile, pour some tea, and ask: “So, how’s your Issue Tracker doing these days?”

“The browser was closed. The JavaScript disagreed. The bug report sided with the JavaScript.” — The Slap of Wisdom Vulnerability Disclosure Bureau, currently running in the background of a browser you already closed