Google has urgently released a security update for Chrome, addressing four vulnerabilities, including a critical zero-day flaw, CVE-2025-4664. This vulnerability is caused by insufficient policy enforcement in Chrome's Loader component, which could allow attackers to execute unauthorized code or escape the browser’s sandbox. Malicious actors can exploit this flaw using specially crafted HTML pages to bypass security policies, potentially leading to severe consequences such as cross-origin data leaks and system compromise. Google confirmed active exploitation in the wild, significantly increasing the urgency of updating.

The CVE-2025-4664 flaw was publicly disclosed by a security researcher. Evidence suggests the vulnerability may have been exploited for several days or weeks before the patch was made available. In addition to this zero-day, the update also addresses CVE-2025-4609, another high-severity issue involving incorrect handle usage in Mojo, Chrome’s Inter-Process Communication (IPC) layer. Flaws in Mojo can lead to privilege escalation and memory corruption, especially in complex multi-process environments like Chrome.

Google credits the identification of these vulnerabilities to external researchers, who reported the Mojo issue on April 22. These discoveries were further bolstered by internal tools like AddressSanitizer, which has helped uncover over 300 bugs within Chromium. This demonstrates Google’s commitment to a layered and proactive security strategy, combining community engagement through bug bounty rewards.

Given Chrome's global dominance with a 65% market share, it remains a prime target for threat actors. Users are strongly urged to manually verify their browser version by visiting chrome://settings/help and ensure they are running Chrome version 136.0.7103.113/.114 on Windows/Mac, 136.0.7103.113 on Linux, or 136.0.7103.125 on Android. While updates will roll out automatically, the critical nature of CVE-2025-4664 makes it imperative to check and apply updates immediately to mitigate risk.