Google has officially released a stable channel update for the Chrome browser to address a high-severity security flaw affecting the Background Fetch API.
This update brings the browser version to 144.0.7559.109/.110 for Windows and macOS, and 144.0.7559.109 for Linux users.
The release is currently rolling out to the global user base. It includes one specific security fix contributed by an external researcher.
Background Fetch API Flaw Analysis
The focal point of this update is CVE-2026-1504, a high-severity vulnerability described as an “Inappropriate implementation in Background Fetch API.”
The Background Fetch API is a critical component for modern web applications, allowing developers to handle large downloads and uploads (such as movies or audio files) in the background.
| CVE ID | Severity | Description | Reward |
|---|---|---|---|
| CVE-2026-1504 | High | Inappropriate implementation in Background Fetch API | $3,000 |
It ensures that these processes continue even if the user closes the browser or the application creates a service worker to manage the transfer.
The vulnerability indicates a flaw in how Chrome implements the logic or security boundaries of this API.
While Google has not released the specific exploit chain to prevent abuse by threat actors, “inappropriate implementation”
Usually suggests that the API could be manipulated to bypass security checks, potentially allowing unauthorized data handling or state confusion during background transfers.
Security researcher reported this issue on January 9, 2026. Following the disclosure and subsequent patch verification, Google awarded a $3,000 bounty for the discovery.
In accordance with standard security protocols, Google is restricting access to the full bug details and links until a majority of the user base has applied the fix.
This delay is essential to prevent hackers from reverse-engineering the patch to create exploits before organizations and individuals have time to secure their browsers.
The restriction also applies if the bug exists in a third-party library that other projects depend on.
Google’s internal security teams also use tools such as AddressSanitizer, MemorySanitizer, and LibFuzzer to detect bugs during the development cycle, preventing many vulnerabilities from reaching the stable channel.
However, CVE-2026-1504 was caught externally. Users are advised to manually check for the update by navigating to Help > About Google Chrome in their browser menu.
The browser will check for the update and prompt a restart to install version 144.0.7559.109/110.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
