Over two billion Chrome users worldwide have been given a 21-day deadline to update their browsers following the identification of a critical security vulnerability, CVE-2025-4664, which is currently being actively exploited in the wild.
The emergency update, released on May 19, 2025, patches a vulnerability in Chrome’s Loader component that could allow attackers to steal cross-origin data through crafted HTML pages, potentially leading to serious security breaches and account takeovers. Attackers can potentially exploit the vulnerability by using hidden malicious images to harvest sensitive URL data.
Chrome’s emergency security patch addresses a critical Loader vulnerability enabling data theft through malicious HTML pages, posing significant account security risks.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, prompting the federal government to mandate updates for all federal staff. This mandate is part of a comprehensive digital literacy initiative to enhance cybersecurity across government agencies. The vulnerability, detected by security researcher Vsevolod Kokorin on May 5, 2025, carries a CVSS score of 4.3 and represents the second actively exploited vulnerability after CVE-2025-2783.
Chrome’s latest update brings the Stable channel to versions 136.0.7103.113/.114 for Windows and Mac users, and 136.0.7103.113 for Linux systems. Users can manually update their browsers through the Settings menu, though automatic updates may be delayed if the browser remains continuously open or if certain extensions prevent the update process.
The security risk extends beyond Chrome to other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, whose users must likewise apply corresponding patches when available. This widespread update requirement coincides with Chrome’s broader security initiative requiring extensions to migrate to Manifest V3 by June 2025, which promises improved privacy and security features.
Users who fail to update within the 21-day window risk losing access to their browsers and remain vulnerable to information theft through exploited vulnerabilities.
The update process requires a browser restart to complete installation and secure against potential attacks. Chrome’s Beta channel has already been updated to version 137.0.7151.40 as of May 21, 2025, demonstrating Google’s swift response to this security threat.
