Google publishes Chromium exploit code before patch lands

Google has published exploit code for an unfixed Chromium vulnerability. The proof-of-concept material, posted to the Chromium issue tracker, opens a short risk window for Chrome and every Chromium-based browser used in Australian homes and workplaces.

The flaw lets an attacker leak the size of cross-origin resources through Service Workers and the Fetch API — a class of bug that allows sensitive data to be inferred without direct access to it. Tracked as CVE-2026-1504, it was reported by independent researcher Lyra Rebane. Ars Technica first reported the code went public before a broad browser fix was available. Vendors normally withhold technical detail until patches reach stable channels.

The Chromium filing shows the issue sat open for 29 months. Downstream browsers that did not apply their own mitigations during that window may have inherited the risk. Google’s Chrome stable-channel updates are the best indicator of when fixes start reaching users, but patch timing varies between browsers. Organisations running managed fleets will need to verify patches across their entire browser estate.

For Australian businesses, the immediate concern is a compressed response window rather than mass compromise. Security teams standardised on Chromium-based browsers now have a public exploit path to track. Consumers should apply the next browser update as soon as it appears. The unusual timing of the disclosure also puts fresh pressure on browser maintainers to hold proof-of-concept material until a reported flaw is fixed.