Google Discloses Critical Chromium Exploit After 29-Month Reporting Delay
Google has released exploit code for a critical security flaw affecting Chromium-based browsers, after the vulnerability sat unpatched for approximately 29 months from initial report to fix.
The exploit, now publicly available, targets a vulnerability that researchers flagged to Google through responsible disclosure channels nearly two and a half years ago. Google's decision to publish proof-of-concept code before all users had updated to the patched version has drawn criticism from security researchers concerned about the expanded attack surface during the disclosure window.
Chromium powers not only Google Chrome but also Microsoft Edge, Brave, Opera, and other browsers used by hundreds of millions of users worldwide. This widespread adoption means that any exploit targeting Chromium vulnerabilities has the potential to affect a significant portion of the global internet population.
Security analysts note that the lengthy delay between initial report and public disclosure creates a complex tradeoff. While responsible disclosure practices typically give vendors time to develop patches, a 29-month timeline raises questions about whether more timely communication with the research community might have served users better.
Users of Chromium-based browsers are strongly encouraged to ensure their installations are updated to the latest version, which includes the patch for this vulnerability. Automatic updates should handle this for most users, though those running manual installations should verify their browser version immediately.