Google has launched emergency safety updates to patch a high-severity vulnerability within the Chrome net browser that might result in full account takeover following profitable exploitation.
Whereas it is unclear if this safety flaw has been utilized in assaults, the corporate warned that it has a public exploit, which is the way it normally hints at lively exploitation.
“Google is conscious of reviews that an exploit for CVE-2025-4664 exists within the wild,” Google mentioned in a Wednesday safety advisory.
The vulnerability was found by Solidlab safety researcher Vsevolod Kokorin and is described as an inadequate coverage enforcement in Google Chrome’s Loader element that lets distant attackers leak cross-origin information by way of maliciously crafted HTML pages.
“You in all probability know that not like different browsers, Chrome resolves the Hyperlink header on subresource requests. However what’s the issue? The problem is that the Hyperlink header can set a referrer-policy. We are able to specify unsafe-url and seize the total question parameters,” Kokorin defined.
“Question parameters can comprise delicate information – for instance, in OAuth flows, this would possibly result in an Account Takeover. Builders not often take into account the potential of stealing question parameters by way of a picture from a Third-party useful resource.”
​Google fastened the flaw for customers within the Secure Desktop channel, with patched variations (136.0.7103.113 for Home windows/Linux and 136.0.7103.114 for macOS) rolling out to customers worldwide.
Though the corporate says the safety updates will roll out over the approaching days and weeks, they have been instantly obtainable when BleepingComputer checked for updates.
Customers who do not wish to replace Chrome manually may let the browser robotically examine for brand spanking new updates and set up them after the subsequent launch.
In March, ​Google additionally fastened a high-severity Chrome zero-day bug (CVE-2025-2783) that was abused to deploy malware in espionage assaults concentrating on Russian authorities organizations, media shops, and academic establishments.
Kaspersky researchers who found the actively exploited zero-day mentioned that the attackers use CVE-2025-2783 exploits to bypass Chrome sandbox protections and infect targets with malware.
Final 12 months, Google patched 10 zero-days disclosed in the course of the Pwn2Own hacking competitors or exploited in assaults.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the way to defend towards them.
