- Google patched a new Chrome bug recently
- Now, CISA added that vulnerability to KEV, signaling abuse in the wild
- Federal agencies have three weeks to update Chrome
The US Cybersecurity and Infrastructure Security Agency (CISA) added a new Chrome bug to its Known Exploited Vulnerabilities (KEV) catalog, signalling abuse in the wild, and giving Federal Civilian Executive Branch (FCEB) agencies a deadline to patch things up.
The flaw is tracked as CVE-2025-4664. It was recently discovered by security researchers Solidlab, and is described as an “insufficient policy enforcement in Loader in Google Chrome”. On NVD, it was explained that the bug allowed remote threat actors to leak cross-origin data via a crafted HTML page.
“Query parameters can contain sensitive data – for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource,” researcher Vsevolod Kokorin, who was attributed with discovering the bug, explained.
Time to patch
The flaw was first uncovered on May 5, with Google coming back with a patch on May 14. The browser giant did not discuss if the flaw was being exploited in real-life attacks, but it did state that it had a public exploit (which basically means the same thing).
Now, with CISA adding the bug to KEV, FCEB agencies have until June 5 to patch their Chrome instances or stop using the browser altogether. The first clean versions are 136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS. In many cases, Chrome would deploy the update automatically, so just double-check which version you’re running.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Indeed, the web browser is one of the most frequently targeted programs, since it handles untrusted data from countless sources around the web. Cybercriminals are always looking for vulnerabilities in browser code, plugins, or poorly secured websites, in an attempt to grab login credentials, or other ways to compromise the wider network.
Via BleepingComputer
Leave a comment