ungoogled-software/ungoogled-chromium

Disable Background Fetch API (unpatched Chromium vuln, exploit code public)

Open

#3791 opened on May 21, 2026

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Python (18,674 stars) (771 forks)batch import
enhancementhelp wanted

Description

Description

How to disable Background Fetch API at build time?

Who's implementing?

  • I'm willing to implement this feature myself

The problem

Background Fetch in Chromium has a vulnerability that's been public since yesterday (May 20, 2026). Originally reported by Lyra Rebane in late 2022, rated S1 internally, still unpatched ~29 months later. Google briefly published PoC exploit code on their own tracker before pulling it.

How it works: a malicious site registers a service worker that uses Background Fetch to keep a persistent connection open - survives tab close, browser restart, sometimes OS reboot. Turns the browser into a low-capability botnet node (anonymous proxy, proxied DDoS, traffic monitoring). Doesn't cross same-origin boundaries by itself, but stockpiles browsers for when the next vuln drops.

Affects every Chromium-based browser including UC. Firefox and Safari aren't affected - they never shipped the API.

Refs:

Two things:

  1. Is there a way to disable Background Fetch at build time today - e.g. flipping BackgroundFetch in third_party/blink/renderer/platform/runtime_enabled_features.json5, or some existing build flag I missed? If something works, could it get a line in docs/?

  2. Could UC add a --disable-background-fetch switch (and ideally --disable-service-workers for the broader case), with Background Fetch defaulted off? Almost nothing uses it in practice - for typical UC users disabling it by default breaks essentially nothing, and anyone who needs it can flip the flag back. Until upstream ships a fix this looks like the only real user-side mitigation, and it fits the project's "privacy/control over convenience" line.

Possible solutions

  • Now: recipe for self-builders - how to disable Background Fetch and service workers at build time (files, flags, anything related).

  • Later: ship it as UC flags (--disable-background-fetch, --disable-service-workers), Background Fetch off by default.

Alternatives

No response

Additional context

No response

Contributor guide

Tech stack
ccpppythonshell
Domain
securitybuild systemdesktop
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
needs maintainer response
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Chromium build systemC++ basicsunderstanding of runtime features
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Examine the runtime enabled features.json5 file in third party/blink/renderer/platform/ to see if BackgroundFetch can be disabled via a build flag. Investigate Chromium's command line switch mechanism (e.g., chrome/browser/flag descriptions.cc) to understand how to add disable background fetch. Check if there are existing flags like disable service workers for reference. Also look at the Ungoogled Chromium build scripts (e.g., in build/ or patches/) to see how custom flags are currently applied. The issue has no comments or assignees, so the maintainer should confirm the approach before proceeding.