Photo: In Green / Shutterstock.com
Google has issued security updates to patch a high-severity bug in Chrome. An exploit for the vulnerability is available in the wild, and if exploited, it can grant an attacker full access to the victim’s account.
The vulnerability, tracked as CVE-2025-4664, was discovered by Solidlab security researcher Vsevolod Kokorin. Kokorin explains the vulnerability as an insufficient policy enforcement issue in Google Chrome’s loader component that gives hackers access to cross-origin data when the victim visits a maliciously created HTML page.
This cross-origin data contains query parameters that, in turn, have sensitive data. This leak can lead to an account takeover in specific data flows, such as OAuth.
The flaw has been fixed in Chrome versions 136.0.7103.113 for Windows and Linux and 136.0.7103.114 for macOS. Google also confirmed in its advisory that it’s aware of a publicly available exploit for the bug. This particular update is also rolling out much faster. While Google says the relevant updates will roll out over the coming weeks, Candid.Technology spotted the update available to download at the time of writing.
As usual, bug details and any links didn’t make it to the security advisory. Google claims that this data will be kept restricted until a “majority of users are updated with a fix.” The search giant also plans to retain restrictions if the bug “exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
At the time of writing, there is no word on whether the vulnerability has been exploited in the wild. However, Google’s acknowledgement of the exploit’s presence hints that it has already been exploited in the wild.
In the News: Novel infostealer caught stealing browser data and crypto wallet extensions
