Google on Wednesday announced the release of a Chrome 136 update that resolves four vulnerabilities, warning that an exploit exists in the wild for one of them.
The issue, tracked as CVE-2025-4664, is one of the two bugs reported by external researchers that were resolved in this Chrome update.
Without providing technical details, Google describes the flaw as an “insufficient policy enforcement issue in Loader”.
According to a NIST advisory, the security defect could be exploited by a remote attacker “to leak cross-origin data via a crafted HTML page”.
“Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild,” Google notes in its advisory.
This phrasing is typically used by Google when a Chrome vulnerability has been exploited in malicious attacks, but it’s unclear if in this case the company is aware of actual zero-day exploitation or if it’s only referring to an exploit being publicly available.
The internet giant learned of the vulnerability after security researcher Vsevolod Kokorin (Slonser) posted information on X (formerly Twitter).
In a series of posts on May 5, Slonser explained that an attacker could modify the Link header that Chrome resolves on sub-resource requests to capture query parameters containing sensitive information.
“Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource – which makes this trick surprisingly useful sometimes,” the researcher noted.
The second externally reported issue addressed in Chrome 136 is tracked as CVE-2025-4609 and is described as a high-severity “incorrect handle provided in unspecified circumstances in Mojo”.
The latest Chrome iteration is now rolling out as versions 136.0.7103.113/.114 for Windows and macOS, and as version 136.0.7103.113 for Linux.
Users are advised to update their browsers as soon as possible. It is not uncommon for threat actors to target Chrome vulnerabilities quickly after exploits are publicly released.
Related: Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities
Related: Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities
Related: Chrome 135, Firefox 137 Patch High-Severity Vulnerabilities
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia