Important Chrome Update: Addressing Critical Actively Exploited Vulnerability

Google has implemented an urgent update for the Chrome browser to address a significant vulnerability that is currently being actively exploited. This update elevates the Stable channel versions to 136.0.7103.113/.114 for Windows and Mac platforms, and 136.0.7103.113 for Linux systems.

To ensure your Chrome browser is up-to-date, it is recommended to enable automatic updates. However, users may experience delays if the browser is not closed regularly or if updates are obstructed by extensions.

To manually check for updates, navigate to Settings > About Chrome. If an update is available, Chrome will notify the user and initiate the download. A browser restart is required to complete the update process and mitigate the associated vulnerabilities.

This update is particularly critical as it resolves an actively exploited vulnerability that could enable malicious actors to intercept information shared across websites. While Google has acknowledged awareness of the CVE-2025-4664 vulnerability in circulation, the Cybersecurity and Infrastructure Security Agency (CISA) has included it in its Known Exploited Vulnerabilities catalog, indicating its active exploitation.

Technical Details

The vulnerability, identified as CVE-2025–4664, originates from the Chrome Loader component, responsible for handling resource requests when users visit websites. Typically, the browser must load additional site components, such as images and scripts, from various sources. The Loader assists in managing these requests to ensure proper display of resources.

A critical aspect of this function is the enforcement of security measures intended to uphold the “same-origin policy,” which restricts one website from accessing data from another. However, the identified vulnerability arises from a failure to adequately apply security policies to Link headers. This oversight allows an attacker to establish a referrer policy in the Link header, causing Chrome to transmit complete URLs, including sensitive query parameters.

This situation poses a serious risk, as query parameters often contain confidential data such as OAuth tokens, session identifiers, and other personal information. For instance, when navigating to a site that handles sensitive or financial information, users may find URLs that include secret codes meant for authentication. Typically, the browser safeguards this information. However, due to the flaw in Chrome Loader, a successful attacker can deceive the browser into sending these sensitive codes to a malicious site by incorporating an image or another resource that the browser mistakenly fetches.

In this way, an attacker could embed a concealed image hosted on their server to collect complete URLs, thereby gaining access to private information without the user’s awareness. This exploitation could potentially allow the attacker to compromise user accounts or access other online services.

Cybersecurity threats require proactive measures and cannot be taken lightly. It is crucial to protect personal information and digital identity through robust cybersecurity practices.