Google Leaves 2022 Chrome Flaw Unfixed, Exposing Browsers to DDoS Abuse
Updated
Updated · Tempo.co English · May 21
Google Leaves 2022 Chrome Flaw Unfixed, Exposing Browsers to DDoS Abuse
4 articles · Updated · Tempo.co English · May 21
Lyra Rebane said Chrome still lacks an effective fix for a Browser Fetch vulnerability she reported in late 2022, leaving exploit code publicly available.
Browser Fetch is meant to keep large downloads running after a tab closes, but attackers can abuse it to maintain persistent background connections to remote servers.
Those connections can turn a user’s browser into an anonymous proxy or part of distributed denial-of-service attacks, even after the user leaves the malicious site.
Rebane said victims are hard to identify because the abuse can look like ordinary browser sluggishness, and Google has not said when a patch will arrive.
Why did Google publish an exploit for a critical flaw it failed to patch for over three years?
With AI finding flaws faster than they can be fixed, is your web browser becoming permanently insecure?
Does this 42-month failure signal a breakdown in how critical internet infrastructure is secured?
The "Brash" Chromium Vulnerability: Billions Exposed After Google Publishes Exploit Before Patch
Overview
In May 2026, Google's Project Zero published a proof-of-concept exploit for the critical 'Brash' vulnerability before vendors released a comprehensive patch. This action triggered an immediate cybersecurity crisis, as billions of devices became exposed to attacks. The public release of the exploit made it easy for attackers to use, dramatically increasing the risk of exploitation. As a result, the cybersecurity community condemned Google's decision, arguing it put user safety at risk. The situation forced organizations and users to urgently seek temporary protections while waiting for official fixes, highlighting the challenges of responsible vulnerability disclosure and the widespread impact of flaws in core technologies.