Recommended reading

Chrome patched this bug, but CISA says it's still actively exploited

News
By published

CISA added it to KEV, giving FCEB agencies three weeks to patch up

Google Chrome
(Image credit: Monticello / Shutterstock)
  • Google patched a new Chrome bug recently
  • Now, CISA added that vulnerability to KEV, signaling abuse in the wild
  • Federal agencies have three weeks to update Chrome

The US Cybersecurity and Infrastructure Security Agency (CISA) added a new Chrome bug to its Known Exploited Vulnerabilities (KEV) catalog, signalling abuse in the wild, and giving Federal Civilian Executive Branch (FCEB) agencies a deadline to patch things up.

The flaw is tracked as CVE-2025-4664. It was recently discovered by security researchers Solidlab, and is described as an “insufficient policy enforcement in Loader in Google Chrome”. On NVD, it was explained that the bug allowed remote threat actors to leak cross-origin data via a crafted HTML page.

"Query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource,” researcher Vsevolod Kokorin, who was attributed with discovering the bug, explained.

60% off for Techradar readers

60% off for Techradar readers

With Aura's parental control software, you can filter, block, and monitor websites and apps, set screen time limits. Parents will also receive breach alerts, Dark Web monitoring, VPN protection, and antivirus.

Preferred partner (What does this mean?)

View Deal

Time to patch

The flaw was first uncovered on May 5, with Google coming back with a patch on May 14. The browser giant did not discuss if the flaw was being exploited in real-life attacks, but it did state that it had a public exploit (which basically means the same thing).

Now, with CISA adding the bug to KEV, FCEB agencies have until June 5 to patch their Chrome instances or stop using the browser altogether. The first clean versions are 136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS. In many cases, Chrome would deploy the update automatically, so just double-check which version you’re running.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.

Indeed, the web browser is one of the most frequently targeted programs, since it handles untrusted data from countless sources around the web. Cybercriminals are always looking for vulnerabilities in browser code, plugins, or poorly secured websites, in an attempt to grab login credentials, or other ways to compromise the wider network.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.