Chrome Patches High-Severity Background Fetch Flaw (CVE-2026-1504)

Google has rolled out an important update for the Chrome Stable channel, pushing version 144.0.7559.109/110 to Windows and Mac users (and 144.0.7559.109 for Linux) to address a single, high-severity security vulnerability. The flaw, which affects how the browser handles background data transfers, earned a security researcher a $3,000 bounty and prompted a swift response from the browser giant.

The update targets a vulnerability tracked as CVE-2026-1504, described as an “Inappropriate implementation in Background Fetch API.”

The Background Fetch API is a powerful modern browser feature. It allows websites to manage downloads of large files—like movies, audio files, or software updates—even if the user closes the tab or the browser itself. While convenient for users with spotty internet connections, flaws in such mechanisms can often be exploited to bypass security checks, spoof user interfaces, or mishandle data storage.

While Google restricts access to specific bug details until a majority of the user base has updated, the classification of “Inappropriate implementation” at a High severity level suggests a significant logic error that could potentially be abused by malicious sites to compromise user data or browser integrity.

The flaw was reported on January 9, 2026, by external security researcher Luan Herrera (@lbherrera_). Google’s security team acted quickly, turning around a fix in the stable channel relatively fast to close the potential attack vector.

The update is rolling out over the coming days and weeks, but users are advised to force the update immediately to ensure they are protected.

To update:

1. Open Chrome.
2. Click the three dots in the top right corner.
3. Go to Help > About Google Chrome.
4. The browser will check for updates and install version 144.0.7559.109 (or .110).

Related Posts:

• DarkGate and PikaBot: New Malware Threats Emerge from Advanced Phishing Campaign
• Chrome OS will support to run Android applications in the background
• Android Gets New “System Services” Page: Google Boosts Transparency for Background Apps
• New Android Malware Impersonates Indian Banks to Steal Data & Secretly Mine Monero

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy