Google has had a busy week on the cybersecurity front; there’s no doubt about that. The product update team has already confirmed and released a patch for an Android no user interaction attack that is being exploited in the wild, and Google’s security operations team has detailed how a new Lumma Stealer variant is deploying captcha lures to grab Windows passwords. With the Google Chrome browser only just hitting the highly anticipated version 136 milestone, there’s already a confirmed and critical security vulnerability that could lead to hackers remotely executing malicious code on your machine if successful. Here’s what you need to know about the audio-related CVE-2025-4372 security bug.
Critical Google Chrome Security Issue Confirmed
Let’s get the severity-rating elephant in the room out of the way before going into any further detail. Vendors such as Google and Microsoft like to apply their own severity ratings to vulnerabilities, often at odds with the generally accepted Common Vulnerabilities and Exposures determination. The whole point of giving a vulnerability a CVE number and associated rating is for users, especially security teams, to be able to get an at-a-glance understanding of the likely implications of an exploit and so assist with the patch management process. So, when vendors issue ratings that are most often lower than the official CVE ones, it’s confusing and, in my never humble opinion, far from helpful. CVE-2025-4372 has an official base rating of 9.8 to 10, depending on whether you apply version 2 or 3 of the rating classification system. Things don’t get much more critical than this, yet Google rates it as a medium-severity issue. Go figure.
OK, severity semantics out of the way, the fact remains that this is a nasty security vulnerability that Google has rushed out an update patch to fix. There’s a good reason for this; if exploited, it could lead to the remote execution of malicious code. Although there is no evidence of CVE-2025-4372 being exploited by attackers at this stage, don’t expect that status quo to exist for long. Requiring no user privileges to exploit, and relatively minor user interaction of visiting a malicious web page, the use-after-free memory vulnerability sits within Chrome’s WebAudio application programming interface.
The Google Chrome security update takes the browser to versions 136.0.7103.92/.93 for Windows and Mac, while Linux moves to version 136.0.7103.92. There’s also an Android update taking this version to 136.0.7103.87. All users are advised to kickstart the Chrome update process by visiting the Help|About Google Chrome menu option. Google has stated that the update will roll out automatically across the coming days and weeks.
