Google has released emergency security updates to patch a high-severity vulnerability in the Chrome web browser that could lead to full account takeover following successful exploitation.
While it’s unclear if this security flaw has been used in attacks, the company warned that it has a public exploit, which is how it usually hints at active exploitation.
“Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild,” Google said in a Wednesday security advisory.
The vulnerability was discovered by Solidlab security researcher Vsevolod Kokorin and is described as an insufficient policy enforcement in Google Chrome’s Loader component that lets remote attackers leak cross-origin data via maliciously crafted HTML pages.
“You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what’s the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters,” Kokorin explained.
“Query parameters can contain sensitive data – for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource.”
Google fixed the flaw for users in the Stable Desktop channel, with patched versions (136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS) rolling out to users worldwide.
Although the company says the security updates will roll out over the coming days and weeks, they were immediately available when BleepingComputer checked for updates.
Users who don’t want to update Chrome manually can also let the browser automatically check for new updates and install them after the next launch.
In March, Google also fixed a high-severity Chrome zero-day bug (CVE-2025-2783) that was abused to deploy malware in espionage attacks targeting Russian government organizations, media outlets, and educational institutions.
Kaspersky researchers who discovered the actively exploited zero-day said that the attackers use CVE-2025-2783 exploits to bypass Chrome sandbox protections and infect targets with malware.
Last year, Google patched 10 zero-days disclosed during the Pwn2Own hacking competition or exploited in attacks.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
