Google accidentally exposed details of unfixed Chromium flaw
Google inadvertently exposed details of an unpatched vulnerability in Chromium that allows JavaScript to continue executing after the browser window is closed, potentially enabling remote code execution. The issue was disclosed through a public commit to the Chromium repository on May 20, 2026, before a fix was ready. According to BleepingComputer, the flaw resides in the browser's process management, failing to terminate background JavaScript contexts properly. This affects all Chromium-based browsers, including Chrome, Edge, and Opera. Google has acknowledged the leak and is working on a patch, but no timeline for release has been provided. The vulnerability has been assigned CVE-2026-1234 (placeholder). Users are advised to manually close all browser processes via task manager as a temporary workaround.
Developers must ensure their web apps handle background processes securely to prevent RCE.