Full Report
A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Arbitrary Code Execution in Google Chrome
## CVE Details
- CVE ID: CVE-2025-4664, CVE-2025-4609
- CVSS Score: N/A (Severity risk rating provided by the advisory: HIGH for large/medium entities)
- CWE: N/A (Specific CWEs not explicitly listed, relies on technical context)
## Affected Systems
- Products: Google Chrome
- Versions: Prior to 136.0.7103.113/.114 for Windows and Mac; Prior to 136.0.7103.113 for Linux
- Configurations: Any system running the specified vulnerable versions of Chrome.
## Vulnerability Description
Two distinct vulnerabilities exist within Google Chrome that could lead to Arbitrary Code Execution (ACE) in the context of the logged-on user.
1. **CVE-2025-4664:** Related to "Insufficient policy enforcement in Loader."
2. **CVE-2025-4609:** Related to an "Incorrect handle provided in unspecified circumstances in Mojo."
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the browser. This could enable installation of programs, data manipulation (view, change, delete), or creation of new user accounts with user rights. Impact is lessened for users operating with lower, non-administrative privileges.
## Exploitation
- Status: Not exploited in the wild (as of advisory date)
- Complexity: Not explicitly rated, but ACE flaws generally trend towards Medium/High complexity unless a simple PoC becomes available.
- Attack Vector: Network (via Drive-By Compromise, MITRE T1189 used via Initial Access Tactic TA0001)
## Impact
- Confidentiality: High (If exploited by an admin user)
- Integrity: High (If exploited by an admin user)
- Availability: Medium (Potential for disruption/installation of malicious software)
## Remediation
### Patches
- Chrome version **136.0.7103.113** or later for Windows and Mac.
- Chrome version **136.0.7103.113** or later for Linux.
### Workarounds
- Apply the Principle of Least Privilege: Run all software, including Chrome, as a non-privileged user to diminish the effects of a successful attack (Mitigation M1026).
- Restrict execution of code to a virtual environment on or in transit to the endpoint system (Application Isolation and Sandboxing - M1048).
- Restrict use of certain websites, block downloads/attachments, block Javascript, and restrict browser extensions (M1021).
## Detection
- Indicators of Compromise: Not detailed, but look for abnormal process creation stemming from the browser process context, unauthorized file system modifications, or creation of new user accounts.
- Detection methods and tools: Use Exploit Protection capabilities (M1050), enable anti-exploitation features (DEP, WDEG, SIP, Gatekeeper), and employ DNS filtering services (Safeguard 9.2) and network-based URL filters (Safeguard 9.3).
## References
- Vendor Advisories: h t t p://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
- CVE Details: h t t p://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4664, h t t p://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4609