Google released a security advisory to address a zero-day vulnerability tracked as CVE-2025-4664.
CVE-2025-4664 is an insufficient policy enforcement in Loader. The vulnerability could allow attackers to bypass security policies within Chrome’s Loader logic, potentially leading to unauthorized code execution or sandbox escape. Google mentioned in the advisory that they are aware of the reports that an exploit for the vulnerability exists in the wild.
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before June 5, 2025.
This is the second zero-day vulnerability addressed by Google since the start of the year. CVE-2025-2783 was the first zero-day addressed by Google this year.
Google addressed one more vulnerability in the advisory. Tracked as CVE-2025-4609, the vulnerability originates from an incorrect handle provided in unspecified circumstances in the Mojo.
Affected Versions The vulnerability affects Google Chrome versions before 136.0.7103.113.
Mitigation: Customers must upgrade to the latest stable channel version
Windows & Mac 136.0.7103.113/.114
Linux 136.0.7103.113 for Linux.
For more information, please refer to the Google Chrome Release Page.
Microsoft has released the Microsoft Edge Stable Channel (Version 136.0.3240.76) to address CVE-2025-4664, which the Chromium team has reported as being exploited in the wild.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
References: Chrome Releases: Stable Channel Update for Desktop
