Google Chrome Deadline—21 Days To Update Or Stop Using Browser
Update nbow warning for 2 billion Chrome users
Republished on May 17 with confirmation of Microsoft’s emergency fix for Edge and more detail on the vulnerability to ongoing attacks.
Google has warned that Chrome is open to attack, and has rushed out a fix for a vulnerability that enables a hacker to steal login credentials and bypass multi-factor authentication. It’s a critical issue, and it’s imperative it’s fixed immediately. The U.S. government has now mandated all federal staff to update by June 5. Whether you’re a home or enterprise user, you should do the same.
America’s cyber defense agency has told all federal agency staff to “apply mitigations per vendor instructions… or discontinue use of the product if mitigations are unavailable.” That means update inside the next 21 days or stop using your browser until you do.
CISA’s formal mandate only applies to federal employees, but its remit extends to all organizations, “to help [them]
better manage vulnerabilities and keep pace with threat activity.” Given the nature of this threat, users should act now. CISA issues plenty of such mandates, but given Chrome’s install base and that this threat is now in the public domain, it really is critical for you to follow suit.
As I warned yesterday, Google’s fix for CVE-2025-4664 came with a warning “of reports that an exploit exists in the wild.” This was flagged on X by @slonser_, after discovering that “a technique that’s probably not widely known in the community” enabled a query parameter takeover that could exploit sensitive data included in the string. “In OAuth flows, this might lead to an Account Takeover” if that query parameter is stolen.
This means stealing the text string from Chrome that includes security session credentials after you’ve logged into a service. It enables an attacker to replicate the secure session on their own device.
Per SC Media, “its inclusion in the KEV catalog indicates the attackers have attempted to misuse the flaw in the wild.” But it’s unclear whether the flagged exploit is the POC raised or there are actual attacks underway with bad actors having identified the vulnerability independently. It doesn’t matter now. This is in the public domain. We’re now in the period of maximum risk as attackers strike before browsers are patched.”
Cybersecurity News warns “the vulnerability stems from an incorrect handle provided under unspecified circumstances in Chrome’s Mojo Inter-Process Communication (IPC) layer, potentially leading to unauthorized code execution or sandbox escape. The vulnerability poses significant risks, including unauthorized data leakage across web origins… Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.”
Check your Chrome browser for the notification an update has been downloaded and you need to relaunch to ensure it installs. You’re looking for Chrome version 136.0.7103.113/.114. Do this as soon as you can — don’t let dozens of open tabs hold you back. With this vulnerability, it is imperative to patch now.
The same update warning also applies to Microsoft Edge. “This CVE was assigned by Chrome,” the Windows-maker has confirmed, but given “Microsoft Edge (Chromium-based) ingests Chromium,” that fix also “addresses this vulnerability.”