Google has released emergency security updates for Chrome after pinpointing a high-severity vulnerability that attackers are actively exploiting in the wild. The security flaw, tracked as CVE-2025-4664, facilitates cross-origin data leakage through Chrome’s Loader component because of insufficient policy enforcement, potentially exposing sensitive user information to malicious actors.
Security researcher Vsevolod Kokorin of Solidlab revealed the vulnerability, which affects Chrome versions prior to 136.0.7103.113 on Windows and Linux systems, and 136.0.7103.114 on macOS. The flaw’s exploitation mechanism utilizes Chrome’s unique handling of Link headers on subresource requests, allowing attackers to capture sensitive data through specially crafted HTML pages. Researchers have identified over 11,600 malware variants actively targeting these systems.
Critical Chrome vulnerability discovered enables data theft through Link header manipulation in subresource requests, affecting millions of users worldwide.
The vulnerability’s severity is heightened by its ability to leak OAuth tokens and authentication credentials through images loaded from third-party resources. Attackers can exploit this by setting the referrer-policy to “unsafe-url,” allowing the capture of full query parameters. This marks the second major Chrome vulnerability this year to see active exploitation in real-world attacks.
Technical analysis reveals the potential for privilege escalation and memory corruption, with proof-of-concept demonstrations confirming the attack’s viability. Organizations face significant risks, as successful exploits could lead to account takeovers and unauthorized access to sensitive business data. The Dutch NIS2 consultation process has highlighted the growing importance of addressing such vulnerabilities promptly. The vulnerability particularly impacts services relying on query parameter authentication flows.
Google has responded by releasing patches for both consumer and enterprise versions of Chrome. The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends immediate updates to the latest versions: 136.0.7103.113 for Windows and Linux users, and 136.0.7103.114 for macOS users.
Furthermore, users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are advised to apply security updates as they become available to protect against potential exploitation.
