Listen to this Post
Google has recently rolled out a major update for Chrome, version 136, addressing a series of vulnerabilities that could have serious security implications. Among these vulnerabilities is one, tracked as CVE-2025-4664, that has already been exploited by malicious actors. Here’s a detailed look into what the update brings, why it’s critical, and the potential risks it helps mitigate.
the Chrome 136 Update:
On Wednesday, Google released Chrome 136, which resolves four vulnerabilities, including one that is already actively exploited in the wild. This flaw, identified as CVE-2025-4664, was reported by external security researchers and is tied to an insufficient policy enforcement issue in the Loader module.
According to Googleās advisory, this issue allows a remote attacker to potentially leak cross-origin data through a specially crafted HTML page. This is an alarming vulnerability because it could allow attackers to access sensitive information, especially from sub-resources, through seemingly harmless images or other third-party resources.
Google has not disclosed specific technical details about the flaw but has confirmed that the vulnerability is already being exploited in real-world attacks. While it remains unclear whether the exploit is a true zero-day attack, the existence of public exploits significantly raises the threat level. The vulnerability was first discovered by Vsevolod Kokorin, a security researcher who posted about it on X (formerly known as Twitter) on May 5. According to Kokorinās research, the flaw can be exploited by manipulating the Link header in Chromeās sub-resource requests, allowing attackers to steal sensitive data such as query parameters.
Additionally, Chrome 136 addresses another vulnerability, CVE-2025-4609, which involves an incorrect handle being provided in unspecified circumstances within the Mojo framework. This flaw has been categorized as high-severity, though it has not been widely discussed in the advisory.
The new update is now available for Windows, macOS, and Linux users, with versions 136.0.7103.113/.114 rolling out. Google has urged users to update their browsers immediately to protect against these vulnerabilities, especially considering how quickly attackers tend to target publicly disclosed flaws.
What Undercode Says:
The release of Chrome 136 highlights a significant shift in how quickly vulnerabilities are being discovered and exploited in modern browsers. With the vulnerability CVE-2025-4664 already being actively used in attacks, this is a prime example of why timely security updates are crucial. What stands out is the fact that this exploit works by manipulating something as basic as the Link header, which developers typically overlook when securing sub-resources like images or third-party content.
This particular vulnerability points to a deeper issue in the security mechanisms of modern browsersācross-origin resource sharing (CORS) and other cross-site communication practices remain areas where even small mistakes can lead to large-scale compromises. While this specific vulnerability is relatively obscure, itās a reminder of the need for strict security policies around how browsers handle external resources and sub-resource loading.
The other vulnerability, CVE-2025-4609, although severe, seems to be less impactful on a wide scale. However, itās still a cause for concern, as Mojo handles many internal processes within Chrome. A flaw in this system could result in a chain reaction of failures, potentially leading to data breaches or system crashes.
From a development standpoint, the speed with which exploits appear post-publication indicates that the security community needs to place more emphasis on reviewing and reinforcing browser security as a whole. This is especially true for open-source projects and those operating in high-risk environments.
Fact Checker Results:
Exploit in the Wild: Confirmed. The CVE-2025-4664 vulnerability is actively being used in attacks. ā ļø
Security Researcher Discovery: The flaw was reported by security researcher Vsevolod Kokorin, who detailed the exploitation method. š
Severity Level: Both vulnerabilities are classified as high-severity, but CVE-2025-4664 is the more pressing concern. š
Prediction:
Given the growing number of browser-based vulnerabilities being actively exploited, itās likely that other major browsers will see similar vulnerabilities in the coming months. As more resources are dedicated to browser security, we expect to see more proactive measures such as automatic patching and enhanced security policies that focus on cross-origin issues. The prevalence of these vulnerabilities suggests an ongoing arms race between security researchers and malicious actorsāone that will likely continue to intensify as web technologies evolve.
References:
Reported By: www.securityweek.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
