Google has issued an urgent Chrome 136 update, patching a high-severity vulnerability (CVE-2025-4664) that already has an exploit circulating publicly.
The latest release, now live as version 136.0.7103.113/.114 for Windows and macOS and 136.0.7103.113 for Linux, addresses four vulnerabilities. Most critically, one of them—reported by independent security researcher Vsevolod Kokorin (known as Slonser)—could already be under active exploitation.
Google flagged CVE-2025-4664 as an “insufficient policy enforcement” issue in Chrome’s Loader component. While the company didn’t reveal technical details, a NIST advisory warns that a remote attacker could exploit it to leak cross-origin data using a specially crafted HTML page.
The vulnerability came to light after Kokorin posted a technical breakdown on X (formerly Twitter), showing how an attacker could tweak the Link header used by Chrome in sub-resource requests. This trick could expose query parameters containing sensitive user information.
Kokorin pointed out that developers often overlook how images loaded from third-party sources could serve as vectors for this kind of data theft.
Alongside this critical bug, Google also patched CVE-2025-4609, another high-severity flaw affecting Chrome’s Mojo component. Described as an “incorrect handle provided in unspecified circumstances,” this issue was also reported externally but hasn’t been tied to any known exploits so far.
Although Google hasn’t confirmed whether CVE-2025-4664 has been exploited in live attacks, its wording—“exploit exists in the wild”—typically signals the risk of active abuse.
Security experts strongly recommend updating Chrome immediately. Once exploit details are public, cybercriminals are quick to take advantage—sometimes within hours.
