Google has published exploit code for a security vulnerability in Chromium that was first reported 29 months ago but has not yet been patched, according to security researchers.

The disclosure comes as part of Google's standard security research practices, though the timing has raised concerns given the extended period between the initial vulnerability report and the current lack of a fix. Chromium serves as the foundation for multiple web browsers including Google Chrome, Microsoft Edge, and numerous other browser applications.

The vulnerability potentially affects millions of users across various Chromium-based browsers. Security experts typically recommend that exploit code publication should follow responsible disclosure timelines that allow adequate time for patches to be developed and deployed.

The nearly two-and-a-half-year gap between the initial vulnerability report and the current situation represents an unusually extended timeline for addressing a security flaw in widely-used software. Browser security vulnerabilities are typically prioritized due to their potential for widespread impact.

Google has not immediately provided details about the specific nature of the vulnerability or the timeline for when a patch might become available. The company's security team generally follows established protocols for vulnerability disclosure and remediation.