Google Releases Emergency Chrome Security Updates to Prevent Full Account Takeover
Google urgently patched a critical vulnerability in the Chrome browser, tracked as CVE-2025-4664, which could allow remote attackers to take over user accounts completely. The flaw, discovered by security researcher Vsevolod Kokorin (@slonser_), arises from insufficient policy enforcement in Chrome’s Loader component before version 136.0.7103.113.
This vulnerability enables attackers to leak sensitive cross-origin data, such as OAuth query parameters, by tricking the browser into loading crafted HTML pages or images from third-party resources, something many developers often overlook. Such leaked query data could be exploited to hijack user accounts.
Google confirmed the vulnerability is actively exploited in the wild and released updates for Chrome Stable Desktop channels:
- Windows/Linux: 136.0.7103.113
- macOS: 136.0.7103.114
Previous Critical Chrome Vulnerability (CVE-2025-2783) Also Patched
In March 2025, Google also fixed another high-severity flaw (CVE-2025-2783) affecting Chrome on Windows. This vulnerability involved an incorrect handle in Mojo, Google’s IPC (Inter-Process Communication) library responsible for sandboxed process communication and security.
Reported by Kaspersky researchers Boris Larin and Igor Kuznetsov, this flaw was exploited in targeted attacks against organizations in Russia. Google released out-of-band updates to address this issue and noted that exploits were active in the wild. The update rolled out in Chrome version 134.0.6998.177/178 for Windows.
Summary
- CVE-2025-4664: Critical Loader flaw allowing cross-origin data leaks, risking full account takeover.
- CVE-2025-2783: Mojo IPC handle flaw leading to potential sandbox escapes and privilege escalation.
- Both vulnerabilities are actively exploited.
- Google urges users to update Chrome immediately to the patched versions.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
