Google has just rolled out a critical security and feature update for its widely used web browser, Google Chrome, and if you are one of the millions using it daily, this is not the kind of update you should miss. The new version—136.0.7103.113/.114 for Windows and macOS, and 136.0.7103.113 for Linux—started rolling out via the Stable channel on May 14, 2025, and brings with it crucial patches for multiple security vulnerabilities, including the medium-severity CVE-2025-4372.
This particular flaw, a “use-after-free” vulnerability in Chrome’s Web Audio module, could be used to crash your browser or even let attackers execute malicious code on your system. And it’s not the only one: the update also addresses CVE-2025-4664, a high-risk bug that is already being actively exploited in the wild, and CVE-2025-2783, the first confirmed zero-day vulnerability found in Chrome this year.
Let us break that down. A zero-day means there was no time for users to patch the flaw before bad actors started using it, so the clock is ticking.
Why CVE-2025-4664 Matters
Google has confirmed that this update addresses four critical security vulnerabilities, including one that is actively being exploited. Among the most notable fixes is CVE-2025-4664, a high-severity vulnerability tied to insufficient policy enforcement in the Chrome Loader component.
Originally reported by security researcher @slonser_ on May 5, 2025, CVE-2025-4664 allows potential attackers to bypass Chrome’s internal security policies. Exploiting this flaw could result in unauthorized code execution or even sandbox escapes. Google acknowledged active exploitation of the vulnerability in the wild and issued a security advisory encouraging users to update their browsers immediately.
In response, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-4664 to its Known Exploited Vulnerabilities Catalog and urged users and organizations to apply the patch by June 5, 2025.
Another key fix in this update is CVE-2025-4372, a medium-severity vulnerability categorized as a “use-after-free” issue in the Web Audio module. These types of vulnerabilities can potentially be exploited to crash systems or execute malicious code.
Google also addressed CVE-2025-2783, the first zero-day vulnerability discovered in Chrome this year. While details on its exploitation remain limited, it highlights the increasing frequency of zero-day threats in modern software ecosystems.
A fourth vulnerability, CVE-2025-4609, was reported by a researcher named Micky on April 22, 2025. This high-severity flaw stems from an incorrect handle provided in unspecified conditions within the Mojo IPC system. Like CVE-2025-4664, this vulnerability could be exploited to execute arbitrary code with user-level privileges, especially concerning users operating with administrative rights.
Google Chrome Performance and Feature Enhancements
Beyond security, Chrome version 136.0.7103.113/.114 introduces several performance improvements and user-facing features. Notable backend enhancements include more efficient rendering processes and better memory management, designed to streamline overall browser performance.
Chrome users can also expect new features such as updates to the TabGroupHeader accessible name and improved behavior in popover-focus functionality, both of which aim to refine user navigation and accessibility.
Additionally, developers have resolved bugs that were causing crashes in the AddToTopLayer function and issues with the Update button in chrome://extensions, contributing to a more stable browsing experience.
What You Should Do
If you’re running a version of Google Chrome older than 136.0.7103.113, it’s time to update immediately. Google strongly advises both individual users and organizations to apply the patch to stay protected. Unpatched browsers are easy targets, especially when flaws like CVE-2025-4372 and CVE-2025-4664 are known and actively being probed by attackers.
Recommendation One Must Follow:
-
Enabling automatic updates so patches are applied as soon as they’re available.
-
Using browsers and software that are fully supported and actively maintained.
-
Employing regular vulnerability assessments in enterprise environments to catch outdated software versions before attackers do.
Conclusion
It is strongly recommended that users and organizations apply the patch without delay and implement automated patching procedures regularly. It is equally important to use only fully supported and up-to-date browsers and email clients to minimize exposure to threats.
Google acknowledged the critical role of external researchers in identifying issues such as CVE-2025-4372, CVE-2025-4664, and CVE-2025-2783—some of which were uncovered using advanced tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL.
