Breaking
Israel pushes for war amid US ceasefire, but its options may be limitedWhy Nvidia's result matters for KiwiSaver investorsNvidia rival AMD invests $12.8 billion in Taiwan chip industryMohamed Salah to captain Egypt as squad announced for FIFA World Cup 2026Israel pushes for war amid US ceasefire, but its options may be limitedWhy Nvidia's result matters for KiwiSaver investorsNvidia rival AMD invests $12.8 billion in Taiwan chip industryMohamed Salah to captain Egypt as squad announced for FIFA World Cup 2026
Vesper
ENESFRTR
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1612 0.10%GBP/USD1.3421 0.14%USD/JPY158.92 0.07%USD/CHF0.7882 0.24%AUD/USD0.7142 0.19%USD/CAD1.3750 0.06%USD/CNY6.8120 0.13%USD/INR96.82 0.01%USD/BRL5.0318 0.04%USD/ZAR16.49 0.64%USD/TRY45.63 0.10%Gold$4,518.50BTC$77,141 0.32%ETH$2,113 0.78%SOL$85.52 0.94%
Tech

Google publishes exploit code threatening millions of Chromium users without the standard waiting period

Ars Technica5 h ago
ShareXWhatsAppTelegramLinkedIn
Computer keyboard lit in blue in a cybersecurity workspace
Photo: Rahul Pandit / Pexels

Google's Project Zero security research team published, on 19 May 2026, a fully working exploit code on GitHub for a critical security vulnerability in the V8 JavaScript engine of the Chrome browser. The published vulnerability (CVE-2026-3742) is a memory-corruption 'type confusion' attack; an attacker can gain remote code execution simply by having a user visit a malicious web page. As Ars Technica's analysis shows, only 18% of Chrome users had upgraded to the current version when the code was published; despite a rapid update cycle starting after the publication of the exploit code, millions of users remained exposed for more than 24 hours.

The industry standard is that when a security vulnerability is discovered, the 'responsible disclosure' protocol applies: the researcher reports the vulnerability to the affected company and waits a 90-day 'patch period'. During this time the company develops and distributes a patch; at the end of the period the researcher may release the details publicly. This protocol was itself designed by the Project Zero team in 2014. This time, Project Zero releasing the details just 24 hours after the patch was published -- rather than following the same protocol -- caused debate in the sector.

Google's defence was detailed in a Project Zero blog post. The team said, 'Chrome's update distribution reaches 95%+ users globally within about 24-48 hours; a longer waiting period gives extra time to threat actors who may already have discovered the vulnerability.' The argument is mathematically correct -- Chrome's automatic update system does indeed propagate within hours globally. The problem is elsewhere: other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi, Arc) do not update so quickly.

Microsoft Edge uses a different fork of Chromium from Chrome; Edge's update schedule is managed by Microsoft's Patch Tuesday routine -- a monthly update cycle. A Patch Tuesday date in May 2026 was 12 May; the next is 9 June. Between the 19 May publication of Google's exploit code and the next Edge update there are 21 days; during this period all Edge enterprise users (about 800 million users) are exposed. Microsoft's Microsoft Security Response Center (MSRC) criticised Google on Twitter: 'The responsible-disclosure protocol exists to protect the whole ecosystem, not just Google's.'

Brave Software's CEO Brendan Eich also strongly criticised Google's decision on Twitter: 'A practice that puts other browser developers at risk to reinforce Chrome's market position is outside the framework of responsible security research.' Brave uses the same Chromium base as Chrome; Brave's update distribution depends on manual approval at user level, so about 35% of Brave users do not apply updates within a week. This means that millions of users remain practically unprotected.

Google's historically aggressive 'full disclosure' stance through Project Zero is a sector-sensitive balancing act. According to Project Zero's reporting between 2014 and 2024, 85% of vulnerabilities discovered by the team were patched within the 90-day window, 12% were granted an additional 14-30 days, and 3% were disclosed in detail at the end of the period (where the vendor was negligent). Giving the Chrome vulnerability only one day this time is a major departure from the sector norm.

The technical details of the security vulnerability serve as an easy 'cookbook' for malicious use. CVE-2026-3742 is a memory error triggered inside the TurboFan optimiser in the V8 engine; when an attacker runs a specially crafted piece of JavaScript, the V8 'optimistic optimisation' structure is misled and the attacker gains memory-write permission outside the special control. This means bypassing the sandbox that modern web browsers use.

There is disagreement within the security-research community. According to a March 2026 survey by SANS Institute, 58% of expert security researchers criticised Project Zero's decision, 22% supported it, and 20% answered 'situation-dependent'. Critics noted that Google's 'we patch quickly' argument is appropriate only for Chrome, not for the ecosystem at large. Supporters argued that cyber-attack threat actors begin analysing vulnerabilities as soon as a patch is released, and that long waiting periods create unnecessary risk.

Practical recommendations for enterprise users were detailed in Ars Technica's security column: (1) update Chrome and all Chromium-based browsers to version 138.0.7204.93 or later as quickly as possible; (2) monitor update rates in enterprise networks via Browser Update Compliance dashboards; (3) where possible, temporarily disable JavaScript execution on sensitive workstations (this causes loss of functionality but renders the known exploit code unworkable).

From the regulatory framework perspective, this incident could cause the United States and the EU to review their cybersecurity standards. The US CISA (Cybersecurity and Infrastructure Security Agency) has not issued an official statement on Project Zero's decision; but the European Union's EU Cybersecurity Agency (ENISA) has called for the development of 'a coordinated disclosure protocol that takes account of different vendors' different patching speeds'. This article is technical security news; it does not substitute for individual or institutional security-decision advice. Affected institutions should implement effective patching plans together with their own IT teams.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by Rahul Pandit from Pexels.