Information security

Chrome vulnerability with exploit in the wild

Google developers have discovered security vulnerabilities in their Chrome web browser and released updated software. Attackers from the web can use the gaps to gain unauthorized access to information. An exploit for this vulnerability is already circulating on the web.

In the version announcement, Google's developers explain that they are sealing four security gaps with the updated version. As only two of these have been reported by external IT researchers, Google is only providing snippets of information on these two.

Google Chrome: Vulnerability with exploit

One vulnerability is based on insufficient policy enforcement in the "Loader" component of Chrome. The vulnerability entry adds that attackers from the network can use this to "cross-originate" information with manipulated HTML pages - one website can thus access information from another (CVE-2025-4664 / EUVD-2025-14909, CVSS 4.3, risk"high" according to Google,"medium" according to CVSS). "Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild," the manufacturer continues.

A second vulnerability affects the Mojo component - used for inter-process communication, for example - which can return incorrect handles under unspecified circumstances. Google does not describe the potential effects in more detail; neither the CVE nor the EUVD entry are yet publicly available, which generally provides a half-sentence more information (CVE-2025-4609, no CVSS value, risk"high" according to Google). There is no information on the other two vulnerabilities so far, apart from the fact that they exist.

The bug-fixed browser versions are Google Chrome 136.0.7103.125 for Android, 136.0.7103.113 for Linux and 136.0.7103.113/114 for macOS and Windows.

Do a version check

The updated program versions can be installed by calling up the version dialog if the browser is not yet up to date. This can be checked by clicking on the browser menu, which is located behind the icon with the three stacked dots on the right-hand side of the address bar. The further path then goes via "Help" to "About Google Chrome".

Under Linux, the software administration of the distribution used is usually responsible for updating. The security vulnerabilities affect the Chromium base and are therefore also likely to make browsers derived from it, such as Microsoft's Edge, vulnerable. Microsoft usually provides an update for this on Friday. Users should then apply it quickly - this can also be done via the version dialog.

Found on https://www.heise.de/news/Chrome-Sicherheitsluecke-mit-Exploit-in-freier-Wildbahn-10384249.html