Google has released an urgent security update for Chrome to patch a critical vulnerability that hackers are actively exploiting in the wild.
The tech giant announced yesterday that Chrome’s Stable channel has been updated to version 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux to address four security issues, including a high-severity zero-day flaw.
Security researchers have identified CVE-2025-4664 as the most serious vulnerability in this release. This flaw stems from “insufficient policy enforcement in Loader” within Chrome’s browser architecture.
Details of CVE-2025-4664
This vulnerability allows attackers to bypass security policies, potentially enabling unauthorized code execution and cross-origin data leaks through specially crafted HTML pages.
“The flaw allows an attacker to bypass security policies within Chrome’s Loader logic, potentially leading to unauthorized code execution or sandbox escape,” explained security experts tracking the issue.
Active Exploitation in the Wild
Google confirmed they are “aware of reports that an exploit for CVE-2025-4664 exists in the wild,” raising the urgency for users to update immediately.
The vulnerability was initially disclosed via an X post by security researcher @slonser_ on May 5, 2025, suggesting that malicious actors may have been exploiting the flaw for days or weeks before the patch was released.
Google has not shared specific details about ongoing exploitation attempts, likely to prevent further abuse while users update their browsers.
Additional Vulnerabilities Addressed
In addition to the zero-day, the Chrome update also patches another high-severity flaw, CVE-2025-4609, involving “incorrect handle provided in unspecified circumstances in Mojo”.
Security researchers explain that bugs in Chrome’s Mojo IPC (Inter-Process Communication) layer can lead to privilege escalation and memory corruption in complex, multi-process applications like Chrome.
Chrome’s security team credited external researchers, including @slonser_ and a researcher named Micky who reported the Mojo vulnerability on April 22, for identifying these issues.
Google’s Ongoing Security Efforts
Google’s internal security initiatives, including tools like AddressSanitizer, have found over 300 bugs in Chromium, significantly enhancing Chrome’s security posture.
Users can verify their Chrome version and trigger an update by navigating to chrome://settings/help in their browser. The update will roll out automatically, but experts recommend manual checks due to the critical nature of this vulnerability.
Version Numbers to Check
- Windows/Mac: 136.0.7103.113/.114
- Linux: 136.0.7103.113
- Android: 136.0.7103.125 (via Google Play)
Wider Implications and Security Challenges
This incident highlights the persistent security challenges faced by web browsers handling untrusted internet content.
Chrome remains the world’s most popular browser with approximately 65% market share across all platforms, making it a prime target for malicious actors.
Google continues to incentivize security researchers through its bug bounty program, offering rewards up to $250,000 for critical vulnerability discoveries.
The company’s proactive approach to security—through rapid patch deployment and transparent disclosure—remains essential in protecting billions of users worldwide.
