Google released a security advisory to address a zero-day vulnerability tracked as CVE-2025-4664.
CVE-2025-4664 is an insufficient policy enforcement in Loader. The vulnerability could allow attackers to bypass security policies within Chrome’s Loader logic, potentially leading to unauthorized code execution or sandbox escape. Google mentioned in the advisory that they are aware of the reports that an exploit for the vulnerability exists in the wild.
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before June 5, 2025.
This is the second zero-day vulnerability addressed by Google since the start of the year. CVE-2025-2783 was the first zero-day addressed by Google this year.
Google addressed one more vulnerability in the advisory. Tracked as CVE-2025-4609, the vulnerability originates from an incorrect handle provided in unspecified circumstances in the Mojo.
Affected Versions
The vulnerability affects Google Chrome versions before 136.0.7103.113.
Mitigation
Customers must upgrade to the latest stable channel version 136.0.7103.113/.114 for Windows, Mac, and 136.0.7103.113 for Linux.
For more information, please refer to the Google Chrome Release Page.
Qualys Detection
Qualys customers can scan their devices with QID 383237 to detect vulnerable assets.
Rapid Response with Patch Management (PM)
Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
