Chrome Patches High-Severity Vulnerability in Background Fetch API
Google has released Chrome versions 144.0.7559.109 and 144.0.7559.110 to the stable channel, addressing a critical security flaw (CVE-2026-1504) in the Background Fetch API. The update is rolling out gradually across Windows, Mac, and Linux over the coming days and weeks.
The vulnerability, rated High severity (CVSS 7.5), stems from an inappropriate implementation in the Background Fetch API a web standard that enables background file downloads even after users close browser tabs. If exploited, the flaw could allow threat actors to manipulate background fetch operations, though specific exploitation details remain restricted until most users receive the patch.
Security researcher Luan Herrera (@lbherrera_) discovered and reported the issue on January 9, 2026, earning a $3,000 bug bounty under Google’s Vulnerability Reward Program. The fix is part of Chrome’s ongoing security efforts, supported by advanced detection tools like AddressSanitizer, MemorySanitizer, and Control Flow Integrity to prevent such vulnerabilities from reaching stable releases.
Users can manually update Chrome via Settings > About Chrome, with Windows and Mac users targeting versions 144.0.7559.109/.110 and Linux users receiving 144.0.7559.109. Enterprises managing large Chrome deployments are advised to monitor the rollout and validate application compatibility.
Google continues collaborating with security researchers to strengthen Chrome’s defenses, with additional details available in the official Chrome commit log.
Source: https://cybersecuritynews.com/chrome-fetch-api-vulnerability/
Google Chrome cybersecurity rating report: https://www.rankiteo.com/company/google-chrome
"id": "GOO1769604246",
"linkid": "google-chrome",
"type": "Vulnerability",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Chrome users on Windows, Mac, '
'and Linux',
'industry': 'Technology',
'location': 'Global',
'name': 'Google Chrome',
'type': 'Software'}],
'attack_vector': 'Background Fetch API manipulation',
'customer_advisories': 'Users advised to update Chrome via Settings > About '
'Chrome',
'date_detected': '2026-01-09',
'description': 'Google has released Chrome versions 144.0.7559.109 and '
'144.0.7559.110 to the stable channel, addressing a critical '
'security flaw (CVE-2026-1504) in the Background Fetch API. '
'The vulnerability, rated High severity (CVSS 7.5), stems from '
'an inappropriate implementation in the Background Fetch API, '
'which could allow threat actors to manipulate background '
'fetch operations.',
'impact': {'systems_affected': 'Chrome Browser (Windows, Mac, Linux)'},
'investigation_status': 'Resolved (patch released)',
'post_incident_analysis': {'corrective_actions': 'Patch released; use of '
'AddressSanitizer, '
'MemorySanitizer, and '
'Control Flow Integrity for '
'prevention',
'root_causes': 'Inappropriate implementation in '
'the Background Fetch API'},
'recommendations': 'Users should manually update Chrome to the latest version '
'(144.0.7559.109/.110). Enterprises should monitor the '
'rollout and validate application compatibility.',
'references': [{'source': 'Google Chrome Commit Log'}],
'response': {'communication_strategy': 'Official Chrome commit log and '
'security advisories',
'containment_measures': 'Patch released (versions '
'144.0.7559.109/.110)',
'remediation_measures': 'Manual update via Settings > About '
'Chrome'},
'title': 'Chrome Patches High-Severity Vulnerability in Background Fetch API',
'type': 'Vulnerability',
'vulnerability_exploited': 'CVE-2026-1504'}