Google Patches High-Severity Chrome Flaw in Background Fetch API
Google has released a stable channel update for Chrome (versions 144.0.7559.109/.110 for Windows and macOS, 144.0.7559.109 for Linux) to address a high-severity vulnerability in the Background Fetch API. The update is now rolling out globally.
The flaw, tracked as CVE-2026-1504, involves an "inappropriate implementation" in the Background Fetch API a feature enabling web apps to manage large file transfers (e.g., videos or audio) in the background, even after a browser is closed. The vulnerability could allow attackers to bypass security checks, potentially leading to unauthorized data handling or state confusion during transfers.
An external security researcher reported the issue on January 9, 2026, and was awarded a $3,000 bounty after Google verified the patch. In line with security best practices, full technical details remain restricted until most users have updated, preventing threat actors from exploiting the flaw before widespread adoption.
While Google employs automated tools like AddressSanitizer and LibFuzzer to catch vulnerabilities during development, this bug was identified externally. Users can manually trigger the update via Help > About Google Chrome, which will prompt a restart to install the fix.
Source: https://cyberpress.org/chrome-security-update-background-fetch-api-vulnerability/
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1769604147",
"linkid": "google",
"type": "Vulnerability",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'Google Chrome',
'type': 'Web Browser'}],
'attack_vector': 'Background Fetch API',
'customer_advisories': 'Users advised to update Chrome to the latest version',
'date_detected': '2026-01-09',
'description': 'Google has released a stable channel update for Chrome to '
'address a high-severity vulnerability in the Background Fetch '
'API. The flaw, tracked as CVE-2026-1504, involves an '
"'inappropriate implementation' that could allow attackers to "
'bypass security checks, potentially leading to unauthorized '
'data handling or state confusion during transfers.',
'impact': {'data_compromised': 'Potential unauthorized data handling',
'systems_affected': 'Google Chrome (versions 144.0.7559.109/.110 '
'for Windows and macOS, 144.0.7559.109 for '
'Linux)'},
'investigation_status': 'Patched',
'post_incident_analysis': {'corrective_actions': 'Patch released and '
'automated tools like '
'AddressSanitizer and '
'LibFuzzer to be enhanced',
'root_causes': 'Inappropriate implementation in '
'the Background Fetch API'},
'recommendations': 'Users should update Google Chrome to the latest version '
'via Help > About Google Chrome',
'references': [{'source': 'Google Chrome Release'}],
'response': {'communication_strategy': 'Full technical details restricted '
'until most users have updated',
'containment_measures': 'Patch released (versions '
'144.0.7559.109/.110 for Windows and '
'macOS, 144.0.7559.109 for Linux)',
'remediation_measures': 'Users advised to update via Help > '
'About Google Chrome'},
'title': 'Google Patches High-Severity Chrome Flaw in Background Fetch API',
'type': 'Vulnerability',
'vulnerability_exploited': 'CVE-2026-1504'}