There's a critical vulnerability in Chromium, unpatched since 2022 | Image by PhoneArena
There's a critical vulnerability in Chrome and almost every browser that uses the Chromium engine that can turn your phone, laptop, or PC into a botnet, Android Authority reports. And the wildest part is that this thing has been reported years ago and remains unpatched to this day.
Browser Fetch vulnerability
The vulnerability uses a system called Browser Fetch | Image by Browsee
The problem is tied to something called Browser Fetch. It's a standard that allows your browser to download files in the background, so you don't have to keep the tab open.
This standard was made for convenience, but it turns out that an attacker could use the same system to connect to your browser and use your phone or computer as a part of a bigger botnet network.
These networks are used as attack weapons in larger operations, such as spam attacks, denial-of-service (DDoS) attacks, etc. Such a malicious connection to your browser could also expose browsing history and other sensitive data.
Recommended For You
What browser do you use on your phone?
The problem was reported back in 2022
This vulnerability is 29 months old | Image by Pixabay
The issue was discovered almost three years ago by the independent security researcher Lyra Rebane. They reported the vulnerability to Google in late 2022, but years later it remains unpatched.
What's even worse is that there's publicly available proof-of-concept exploit code built to demonstrate the vulnerability. Anyone with basic knowledge about IT security can use it to do a ton of bad things.
And the scary part is that you don't have to install an app, or click on a suspicious pop-up, or approve a permission — just opening a website could put you at risk.
There's no fix. Why the delay?
According to Rebane, Google acknowledged the issue and classified it as a “serious vulnerability” internally marked as S1. This is Google's second-highest severity rating.
And yet, 29 months later, the vulnerability remains unpatched. What gives? Rebane thinks that this bug falls into an awkward grey area — it's not too dangerous as it doesn't reveal or steal passwords, files, or credit card data, but it's not trivial either.
What can actually be done?
The best practice for now is to stay away from suspicious websites | Image by Pixabay
As of this writing, there's no official fix, nor a timeframe for when we can expect one. Google hasn't said anything concrete, and the nature of the vulnerability is such that you might not know if you're affected.
In some cases you might briefly get a downloads-related pop-up without any actual file appearing, but this happens only once, and many people would probably dismiss it without second thought.
The best approach for the moment is to avoid sketchy websites and refrain from initiating downloads. We'll continue to monitor the situation and report back with further developments.
Get Visible as low as $20/mo for 1 year. Limited time offer with code: FRESHSTART
$20
/mo
$25
$5 off (20%)
Offer Ends 6.1.2026 at 11.59pm ET. New members get $5/mo off the $25/mg Visible plan, $35/mo Visible+ plan, or $45/mo Visible+ Pro plan for the first 12 months. Promo code FRESHSTART required at checkout.
Mariyan, a tech enthusiast with a background in Nuclear Physics and Journalism, brings a unique perspective to PhoneArena. His childhood curiosity for gadgets evolved into a professional passion for technology, leading him to the role of Editor-in-Chief at PCWorld Bulgaria before joining PhoneArena. Mariyan's interests range from mainstream Android and iPhone debates to fringe technologies like graphene batteries and nanotechnology. Off-duty, he enjoys playing his electric guitar, practicing Japanese, and revisiting his love for video games and Haruki Murakami's works.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: