SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 136 Update Patches Vulnerability With ‘Exploit in the Wild’

Google has rolled out a Chrome 136 update that resolves a high-severity vulnerability for which a public exploit exists.
Chrome

Google on Wednesday announced the release of a Chrome 136 update that resolves four vulnerabilities, warning that an exploit exists in the wild for one of them.

The issue, tracked as CVE-2025-4664, is one of the two bugs reported by external researchers that were resolved in this Chrome update.

Without providing technical details, Google describes the flaw as an “insufficient policy enforcement issue in Loader”.

According to a NIST advisory, the security defect could be exploited by a remote attacker “to leak cross-origin data via a crafted HTML page”.

“Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild,” Google notes in its advisory.

This phrasing is typically used by Google when a Chrome vulnerability has been exploited in malicious attacks, but it’s unclear if in this case the company is aware of actual zero-day exploitation or if it’s only referring to an exploit being publicly available. 

The internet giant learned of the vulnerability after security researcher Vsevolod Kokorin (Slonser) posted information on X (formerly Twitter).

In a series of posts on May 5, Slonser explained that an attacker could modify the Link header that Chrome resolves on sub-resource requests to capture query parameters containing sensitive information.

Advertisement. Scroll to continue reading.

“Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource – which makes this trick surprisingly useful sometimes,” the researcher noted.

The second externally reported issue addressed in Chrome 136 is tracked as CVE-2025-4609 and is described as a high-severity “incorrect handle provided in unspecified circumstances in Mojo”.

The latest Chrome iteration is now rolling out as versions 136.0.7103.113/.114 for Windows and macOS, and as version 136.0.7103.113 for Linux.

Users are advised to update their browsers as soon as possible. It is not uncommon for threat actors to target Chrome vulnerabilities quickly after exploits are publicly released.

Related: Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities

Related: Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities

Related: Chrome 135, Firefox 137 Patch High-Severity Vulnerabilities

Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Rethinking Endpoint Hardening for Today’s Attack Landscape
On Demand

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Virtual Event: Cloud & Data Security Summit
July 16, 2025

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.