Google engineers unintentionally disclosed details of a Chromium vulnerability that allowed background JavaScript execution after the browser was closed, and in some cases after device reboot. The flaw, linked to the Background Fetch API, was first found by researcher Lyra Rebane in late 2022 and remained unfixed for almost four years, affecting Chrome, Edge, Brave, Opera, Vivaldi, Arc and other Chromium‑based browsers. Google marked the issue as fixed in February 2026, but no patch was released; the public report and PoC were later removed after automatic disclosure. Google confirmed the leak and said a fix is being worked on, while users are advised to watch for unusual activity in the downloads menu.
