Executive Summary
In May 2026, a previously restricted Chromium issue and proof of concept became public. The demonstrated behavior allowed a service worker to call BackgroundFetchManager.fetch() and repeatedly delegate network work to the browser after the initiating page was gone [arstechnica.com opens in a new tab].
This is not a demonstrated Same-Origin Policy bypass, CORS response leak, cookie theft primitive, or system-level code-execution flaw. The supported risk is persistent browser-mediated activity from an attacker-controlled origin, including tracking browser availability, consuming network resources, and proxy- or denial-of-service-like abuse [arstechnica.com opens in a new tab].
Chromium landed commit 2976e22e8416cf3a341294855047bb6280ced6b2 on May 21, 2026. The change makes BackgroundFetchManager.fetch() throw NotAllowedError when called from a service-worker global scope by default, with a server-configurable origin allowlist to reduce compatibility risk [chromium.googlesource.com opens in a new tab]. Brave immediately backported the change to its release and beta branches [github.com opens in a new tab].
As of June 10, 2026, Chrome 149 was the stable desktop channel and Chrome 150 was beta [Sources 4 and 5]. The Chromium fix landed at main-branch position #1634751, associated with the Chrome 150 development line. Do not infer protection from a Chromium-family product name alone; verify the browser's exact build or vendor advisory.