Google mistakenly published exploit code for a critical, unfixed vulnerability in the Chromium browser codebase on Wednesday. The flaw, residing in the Browser Fetch API, allows attackers to maintain persistent connections to a user's browser even after reboot, effectively creating a limited backdoor. This threatens the hundreds of millions using Chrome, Edge, and other Chromium-based browsers.

Discovered by independent researcher Lyra Rebane in late 2022, the vulnerability was privately reported and assigned an S1 severity rating, the second-highest classification. Despite being acknowledged as a 'serious vulnerability' by developers, it remains unpatched for 29 months and counting. The exploit could herd devices into a proxy network for attacks or monitoring.

While the published code is now removed from the official tracker, it persists on archival sites. An attacker with this code could easily create connections to victim browsers. Though capabilities are browser-limited, the scale—potentially millions of devices—combined with the longevity of the unfixed flaw, presents a severe and ongoing risk to global internet users until a permanent patch is deployed.