Republished on May 18 with update now deployed to most users and warnings on the critical step all users must take to make sure their browsers are secure.
Google has warned that Chrome is open to attack, and has rushed out a fix for a vulnerability that enables a hacker to steal login credentials and bypass multi-factor authentication. It’s a critical issue, and it’s imperative it’s fixed immediately. The U.S. government has now mandated all federal staff to update by June 5. Whether you’re a home or enterprise user, you should do the same.
America’s cyber defense agency has told all federal agency staff to “apply mitigations per vendor instructions… or discontinue use of the product if mitigations are unavailable.” That means update inside the next 21 days or stop using your browser until you do.
CISA’s formal mandate only applies to federal employees, but its remit extends to all organizations, “to help [them]
better manage vulnerabilities and keep pace with threat activity.” Given the nature of this threat, users should act now. CISA issues plenty of such mandates, but given Chrome’s install base and that this threat is now in the public domain, it really is critical for you to follow suit.
Although the binding operational directive only applies to federal staff, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management.”
As I warned yesterday, Google’s fix for CVE-2025-4664 came with a warning “of reports that an exploit exists in the wild.” This was flagged on X by @slonser_, after discovering that “a technique that’s probably not widely known in the community” enabled a query parameter takeover that could exploit sensitive data included in the string. “In OAuth flows, this might lead to an Account Takeover” if that query parameter is stolen.
This means stealing the text string from Chrome that includes security session credentials after you’ve logged into a service. It enables an attacker to replicate the secure session on their own device.
Per SC Media, “its inclusion in the KEV catalog indicates the attackers have attempted to misuse the flaw in the wild.” But it’s unclear whether the flagged exploit is the POC raised or there are actual attacks underway with bad actors having identified the vulnerability independently. It doesn’t matter now. This is in the public domain. We’re now in the period of maximum risk as attackers strike before browsers are patched.”
Cybersecurity News warns “the vulnerability stems from an incorrect handle provided under unspecified circumstances in Chrome’s Mojo Inter-Process Communication (IPC) layer, potentially leading to unauthorized code execution or sandbox escape. The vulnerability poses significant risks, including unauthorized data leakage across web origins… Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.”
Check your Chrome browser for the notification an update has been downloaded and you need to relaunch to ensure it installs. You’re looking for Chrome version 136.0.7103.113/.114. Do this as soon as you can — don’t let dozens of open tabs hold you back. With this vulnerability, it is imperative to patch now.
The same update warning also applies to Microsoft Edge. “This CVE was assigned by Chrome,” the Windows-maker has confirmed, but given “Microsoft Edge (Chromium-based) ingests Chromium,” that fix also “addresses this vulnerability.”
There’s a good explainer on this vulnerability now available courtesy of Cyber-AppSec on Medium. “This flaw affects Chrome’s Loader component and could allow attackers to steal sensitive data from other websites — all through a crafty little trick involving the Link header.” While “most browsers don’t pay much attention to Link headers on these kinds of requests,” Chrome does, which enables the attacker to trick the browser into sending your session security info included in a full URL to their own server.
That attack is now in the public domain. While Google’s warning advised this urgent update “will roll out over the coming days/weeks,” it should be available to you now — most users have it. It’s not surprising it has been deployed quickly, given the short space of time between the public disclosure and the update, and CISA’s update mandate. But automatically downloading the software is not enough. As the Chrome ecosystem is being warned (1,2), “all Chrome users must ‘relaunch’ their browser now.”
Why the need to relaunch? As Google explains, “normally updates happen in the background when you close and reopen your computer’s browser. But if you haven’t closed your browser in a while, you might see a pending update.
While Chrome “saves your opened tabs and windows and reopens them automatically when it restarts,” that’s not the case for Incognito tabs which “won’t reopen when Chrome restarts.” Google says “if you don’t want to restart straight away, select Not now,” which means “the update applies the next time that you restart Chrome. But given this is a fix for an active attack, that’s not recommended this time around.
