Google fixes high-severity Chrome bug that may abuse background downloads

Published: 29 January 2026
Last updated: 29 January 2026
Patch issued for Google Chrome flaw
Image by Cybernews

Google has released a new Chrome Stable Channel update to fix a high-severity vulnerability in the browser’s Background Fetch API, urging users to update as soon as possible to reduce potential security and privacy risks.

This update brings Chrome to versions 144.0.7559.109/.110 for Windows and macOS, and 144.0.7559.109 for Linux.

The patched flaw, tracked as CVE-2026-1504, is described as an “inappropriate implementation in the Background Fetch API” and was rated high severity.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

Google added that the vulnerability was reported on January 9th, 2026, by security researcher Luan Herrera (@lbherrera_), who received a $3,000 bug bounty as part of Google’s vulnerability reward program.

What is a Background Fetch API?

A background fetch API allows websites to download large files in the background, even if a user closes the browser or tab or minimizes the window.

The feature is designed to improve user experience for tasks like downloading videos, software installers, or large documents without keeping a page open.

However, because it runs out of sight, flaws in how the feature is implemented can create security risks.

In this case, Google says the API was implemented in a way that could potentially allow security boundaries to be bypassed, permissions to be mishandled, or background requests to be processed unsafely.

While Google has not disclosed full technical details, the high severity rating indicates that successful exploitation could impact user security or privacy, even without requiring malware installation.

ADVERTISEMENT

Why details are being withheld, and what this means for users

In an update issued on Tuesday, Google said that it was temporarily restricting access to the full bug report.

“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” Google added.

Google said the move was intended to prevent attackers from reverse-engineering the fix and exploiting unpatched browsers before most have been updated.

An unpatched Chrome browser could potentially allow a malicious site to misuse background downloads in ways users don’t see or expect. For businesses, this introduces the risk of data exposure or abuse of browser permissions on employee devices.

Google strongly advises users to update Chrome immediately, using the browser’s built-in update mechanism.

Organizations should ensure managed devices are force-updated to the latest version.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT