- Google poured a new Chrome error recently
- Now, CISA added that vulnerability to Kev, pointing out abuse in nature
- Federal agencies have three weeks to update Chrome
The US cybersecurity and infrastructure security agency.
The defect is tracked as CVE-2025-4664. It was recently discovered by Solidlab security researchers, and is described as an “application of insufficient policies in the Google Chrome charger.” In NVD, it was explained that the error allowed the actors of remote threat to filter cross -source data through an HTML page designed.
“The consultation parameters may contain confidential data, for example, in Oauth’s flows, this could lead to a account. Developers rarely consider the possibility of stealing consultation parameters through an image of a third party resource,” explained the researcher Vsevolod Kokorin, which was attributed to discovering the error.
Patch time
The defect was discovered for the first time on May 5, with Google returning with a patch on May 14. The browser giant did not discuss whether the fault was exploited in real -life attacks, but said it had a public feat (which basically means the same).
Now, with CISA adding the error to Kev, the FCEB agencies have until June 5 to patch their chrome instances or stop using the browser completely. The first clean versions are 136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS. In many cases, Chrome would implement the update automatically, so simply verify the version of which version is running.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks for the federal company,” CISA warned.
In fact, the web browser is one of the most frequent programs, since it manages non -reliable data from innumerable sources on the web. Cybercriminals always seek vulnerabilities in the browser code, poorly secured websites or websites, in an attempt to obtain login credentials or other ways to compromise the widest network.
Through Bleepingcomputer
