Google has accidentally exposed detailed information about a serious Chromium security flaw before releasing an official fix to the public.
The issue is concerning because Chromium powers many popular browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. This means the risk does not affect only Chrome users, but a wider group of people who rely on Chromium-based browsers every day.
According to the source article, the flaw could allow malicious JavaScript to keep running silently in the background, even after users close the browser window.
The Bug Was First Reported In 2022
The issue reportedly began in December 2022, when security researcher Lyra Rebane discovered the vulnerability and reported it through the Chromium bug tracking system.
The Chromium team accepted the report as a real bug. The flaw involved a possible attack method where a malicious website could hide dangerous code inside a fake page. If a user opened the page, the code could continue running in the system.
The researcher warned that attackers could potentially use this method to pull many affected computers into a botnet, allowing them to support wider cyberattacks without the device owners realizing what was happening.
The Fix Was Marked Complete Too Early
The problem became more serious because the bug remained unresolved for a long time.
According to the source article, the delay continued through late 2024 and into early 2026. Google developers later noticed that the issue still had not been properly handled.
On February 12, an automated system marked the bug as fixed. It also sent an email notification and awarded the researcher a $1,000 bug bounty.
However, the shocking part is that the actual fix had not yet been pushed into the public browser versions used by general users.
Private Bug Details Became Public
The major mistake happened on May 20.
Chromium’s system automatically opens bug details to outsiders if a bug has been closed and marked as fixed for more than 14 weeks. Since this bug had been incorrectly marked as resolved, its technical details became publicly accessible.
After seeing this, Rebane tested the latest browser version and found that the vulnerability still worked.
The situation became even more concerning on Microsoft Edge, where the source article says there was no download warning pop-up to interrupt the process. This made the hidden code execution feel even more silent.
Many Chromium-Based Browsers Could Be Affected
The impact reaches beyond Google Chrome because many browsers use the same Chromium foundation.
This includes Microsoft Edge, Brave, Opera, Vivaldi, and Arc. Even though Google later locked the bug database back to private, the exposed window may have been long enough for bad actors to save the important attack details.
That makes the timing especially risky. Security details became public while users still did not have a proper patch available.
The Bug Still Has Limits
The researcher also clarified that the bug does not appear to break through the browser’s main security barriers in a way that directly steals personal files or reads emails from the computer.
However, that does not make the leak harmless.
The real danger comes from exposing deep technical details before a defense is available. Once attackers know how a flaw works, they can move faster while users are still waiting for protection.
Google is now reportedly rushing to prepare an emergency update to address the issue as quickly as possible.
This Chromium security flaw shows why timing matters so much in cybersecurity. A vulnerability can already be dangerous, but leaking its details before a public fix makes the situation much worse. Since Chromium supports many major browsers, users should update their browser as soon as a patch becomes available and avoid suspicious websites while the issue remains active.
SOURCE: BleepingComputer
