Full Report
Google has released emergency security updates to patch a high-severity Chrome vulnerability that has a public exploit and can let attackers hijack accounts. [...]
Analysis Summary
# Vulnerability: Insufficient Policy Enforcement in Chrome Loader Leads to Cross-Origin Data Leakage
## CVE Details
- CVE ID: CVE-2025-4664
- CVSS Score: Not explicitly provided, but described as **high severity**.
- CWE: Insufficient Policy Enforcement
## Affected Systems
- Products: Google Chrome
- Versions: Versions prior to 136.0.7103.113 (Windows/Linux) and 136.0.7103.114 (macOS).
- Configurations: Any configuration where the Link header processing triggers subresource requests allowing referrer policy manipulation.
## Vulnerability Description
The flaw is an insufficient policy enforcement vulnerability within the Google Chrome Loader component. Specifically, Chrome resolves the `Link` header on subresource requests, which can be used to set a `referrer-policy`. An attacker can craft a malicious HTML page that forces a subresource request (e.g., an image) to use a URL containing sensitive data in its query parameters (like an OAuth token) and set the `referrer-policy` to `unsafe-url`. Because Chrome processes this header, the sensitive data in the query parameters is leaked via the referrer header during the third-party resource load, potentially leading to account takeovers.
## Exploitation
- Status: Public exploit available (discovered and reported by Vsevolod Kokorin).
- Complexity: Implied to be low/medium, as it relies on standard browser request behavior manipulation.
- Attack Vector: Network (via maliciously crafted HTML pages).
## Impact
- Confidentiality: Potential for **High Impact**, as sensitive data (like OAuth tokens) can be leaked.
- Integrity: Potential impact if leaked data leads to account takeover.
- Availability: Low direct impact expected.
## Remediation
### Patches
- Google Chrome Stable Desktop Channel:
- Windows/Linux: **136.0.7103.113**
- macOS: **136.0.7103.114**
### Workarounds
- Users should update immediately. No explicit workarounds are detailed, but limiting navigation to untrusted external content or network traffic inspection might offer temporary defense until patching is complete.
## Detection
- Detection focuses on immediate patching. Network monitoring for unusual outbound connections triggered by subresource loading accompanied by unexpected referrer headers containing query parameters from sensitive internal paths could be an indicator.
## References
- Vendor Advisory (Implied via news source coverage)
- Researcher Disclosure: bleepingcomputer dot com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/