Google has issued an urgent security update for its Chrome web browser to address a critical vulnerability that could enable attackers to fully take over user accounts if exploited.
The flaw, identified as CVE-2025-4664, is categorized as high-severity and involves insufficient policy enforcement in Chrome’s Loader component. This could allow remote attackers to steal sensitive cross-origin data through malicious HTML pages.
While Google has not confirmed if the vulnerability is actively being exploited, it acknowledged the existence of a public exploit, often a signal that the flaw may already be under attack in the wild.
The vulnerability was discovered by Vsevolod Kokorin, a researcher at Solidlab Security. In a technical breakdown, Kokorin explained that the issue stems from Chrome’s unique handling of the Link header in subresource requests.
By manipulating the referrer-policy through a crafted HTML page, attackers could access sensitive query parameters—potentially including OAuth tokens used in login flows.
As part of its response, Google has released patches for users on the Stable Desktop channel, with fixed versions now available as 136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS. These updates are being rolled out globally, though users can manually update Chrome or wait for the browser to apply the patch automatically after a restart.
This incident marks the second major Chrome vulnerability addressed in 2025. In March, Google patched another high-severity zero-day (CVE-2025-2783) that was actively exploited in espionage campaigns targeting Russian government entities, media, and universities. That flaw was used to bypass Chrome’s sandbox protections and deliver malware.
In 2024, Google patched at least 10 Chrome zero-days, many of which were revealed during the Pwn2Own hacking competition or observed in real-world attacks.
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
