Google has issued a critical Chrome security update in response to a high-severity browser vulnerability identified as CVE-2025-4664. This flaw, discovered by Solidlab’s Vsevolod Kokorin, affects Chrome’s Loader component and can be exploited to leak cross-origin data, exposing users to account takeover risks. The vulnerability arises from Chrome’s handling of the Link header, which in specific configurations allows attackers to retrieve sensitive query parameters—often used in OAuth authentication flows.
Although Google has not confirmed widespread attacks, the company’s warning about an active public exploit indicates urgency. When such exploits are circulating, it often suggests that cybercriminals are attempting to abuse the vulnerability. Google has pushed updates for all users on the Stable Desktop channel to close this security gap swiftly.
What Users Need to Know About the Security Update
Google released the updated Chrome versions 136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS, and these are now available globally. Users can apply the update manually through Chrome settings or wait for the browser to perform its automatic update during the next restart. Those who frequently access online banking, casino accounts, or any services involving authentication tokens are strongly encouraged to update immediately.
The vulnerability, while technical in nature, has simple real-world consequences: an attacker could potentially hijack a session or intercept login credentials via manipulated image requests on third-party sites. The use of referrer-policy headers in link directives is what made this exploitation path possible. Google’s patch reinforces correct policy enforcement and closes the loophole.
Chrome’s Recent Security Struggles Continue in 2025
This is the second high-profile Chrome bug fixed this year. In March 2025, Google patched CVE-2025-2783, a zero-day flaw actively exploited by threat actors targeting Russian governmental bodies and news organizations. That exploit successfully bypassed Chrome’s sandbox security, allowing malware to infect systems directly.
In total, Google addressed at least ten zero-day vulnerabilities in 2024, many of which were identified through high-profile events like Pwn2Own or discovered in the wild. As Chrome remains one of the most widely used browsers in the world, it continues to be a top target for cybercriminals. The company’s fast action, however, shows its ongoing commitment to protecting users from emerging threats.
