Google on Wednesday introduced the discharge of a Chrome 136 replace that resolves 4 vulnerabilities, warning that an exploit exists within the wild for considered one of them.
The problem, tracked as CVE-2025-4664, is likely one of the two bugs reported by exterior researchers that have been resolved on this Chrome replace.
With out offering technical particulars, Google describes the flaw as an “inadequate coverage enforcement situation in Loader”.
In keeping with a NIST advisory, the safety defect could possibly be exploited by a distant attacker “to leak cross-origin knowledge through a crafted HTML web page”.
“Google is conscious of studies that an exploit for CVE-2025-4664 exists within the wild,” Google notes in its advisory.
This phrasing is usually utilized by Google when a Chrome vulnerability has been exploited in malicious assaults, but it surely’s unclear if on this case the corporate is conscious of precise zero-day exploitation or if it’s solely referring to an exploit being publicly accessible.
The web large realized of the vulnerability after safety researcher Vsevolod Kokorin (Slonser) posted info on X (previously Twitter).
In a sequence of posts on Might 5, Slonser defined that an attacker might modify the Hyperlink header that Chrome resolves on sub-resource requests to seize question parameters containing delicate info.Commercial. Scroll to proceed studying.
“Builders hardly ever contemplate the opportunity of stealing question parameters through a picture from a Third-party useful resource – which makes this trick surprisingly helpful typically,” the researcher famous.
The second externally reported situation addressed in Chrome 136 is tracked as CVE-2025-4609 and is described as a high-severity “incorrect deal with supplied in unspecified circumstances in Mojo”.
The most recent Chrome iteration is now rolling out as variations 136.0.7103.113/.114 for Home windows and macOS, and as model 136.0.7103.113 for Linux.
Customers are suggested to replace their browsers as quickly as doable. It’s not unusual for risk actors to focus on Chrome vulnerabilities rapidly after exploits are publicly launched.
Associated: Chrome 136, Firefox 138 Patch Excessive-Severity Vulnerabilities
Associated: Chrome 135, Firefox 137 Updates Patch Extreme Vulnerabilities
Associated: Chrome 135, Firefox 137 Patch Excessive-Severity Vulnerabilities
Associated: Firefox Affected by Flaw Much like Chrome Zero-Day Exploited in Russia
