Google has released a critical Stable Channel Update for Chrome Desktop, bumping the version to 136.0.7103.113/.114 for Windows and macOS, and 136.0.7103.113 for Linux. This update, rolling out over the next few days and weeks, includes four security fixes, two of which are rated high severity—with one confirmed to be exploited in the wild.
The standout fix in this release is CVE-2025-4664, classified as high severity due to insufficient policy enforcement in the Loader. The bug was initially disclosed via an X post by security researcher @slonser_ on May 5, 2025.
“Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild,” the company warns.
The flaw allows an attacker to bypass security policies within Chrome’s Loader logic, potentially leading to unauthorized code execution or sandbox escape. The exploitability in real-world scenarios significantly increases the urgency to patch.
Another high-severity flaw addressed in this update is CVE-2025-4609, stemming from an incorrect handle provided under unspecified circumstances within Chrome’s Mojo IPC (Inter-Process Communication) layer.
While less publicly detailed than CVE-2025-4664, bugs in the Mojo system can often lead to privilege escalation, memory corruption, or logic bypasses—especially in complex, multi-process applications like Chrome.
Google credits external researchers—including @slonser_ and Micky—for responsibly reporting these issues. As is standard, bug details are currently restricted to prevent further exploitation.
What You Should Do
If you’re using Google Chrome on any desktop platform—Windows, macOS, or Linux—you should ensure you are updated to:
- Chrome 136.0.7103.113/.114 (Windows/macOS)
- Chrome 136.0.7103.113 (Linux)
You can check your version by navigating to chrome://settings/help, which will also trigger an update check and install any pending updates
