Source:
tldr: A vulnerability in Chromium-based browsers allows attackers to run JavaScript in the background even after the browser is closed — just by visiting a specially crafted website. Reported to Google in late 2022, patched in January 2026, but researchers found in May 2026 that the fix is still incomplete.
Timeline
- Late 2022: Researcher privately reports the bug to Google.
- January 2026: Google patches the vulnerability.
- May 2026: Google publishes the bug report and public PoC.
- May 2026: Researchers discover the vulnerability is still not fully patched.
Affected versions
- Affected: Chromium-based browser versions since 2022.
- Status: As of writing, the vulnerability is still not fully patched.
What to do
- Be aware that closing your browser may not fully terminate all page-originated scripts.
- Monitor for Chromium/Chrome updates addressing this specific background execution flaw.
- Review the BleepingComputer writeup for full technical details and PoC information.