Chrome 0-Day CVE-2025-4664 Exposes Windows, Linux Browser Activity

A newly disclosed vulnerability in Google Chrome and Chromium-based browsers is putting users at risk of data leaks. Tracked as CVE-2025-4664, the flaw allows attackers to extract sensitive information like login tokens and session IDs from previously visited websites.

The security issue was detailed today by Wazuh, a cybersecurity company specializing in open-source threat detection. It affects users on both Windows and Linux, including Debian and Gentoo systems.

The issue resides in the Chrome’s handling of the Link HTTP header when loading sub-resources like images and scripts. While most browsers ignore referrer policies in these headers, Chrome accepts them, even on cross-origin requests. That means an attacker can intentionally set a relaxed policy, such as unsafe-url, to access full referrer URLs.

These URLs can include sensitive data from other sites a user recently visited. If an attacker controls the destination server, they can quietly collect that data without the user knowing.

Users on the following systems are vulnerable if their browsers have not been updated:

• Windows: Google Chrome versions before 136.0.7103.113

• Debian 11 Linux: Chromium up to version 120.0.6099.224

• Gentoo Linux: Chrome or Chromium versions before 136.0.7103.113

Google has issued an emergency update to fix the vulnerability in Chrome on Windows and Chromium on Gentoo Linux. Debian users should uninstall affected versions of Chromium until a patched version becomes available.

If Chrome isn’t updating automatically, follow these steps to make sure you’re running the latest version and protected against CVE-2025-4664:

1. Open Chrome – Launch Google Chrome on your device.
2. Go to the Menu – Click the three vertical dots in the top-right corner of the browser window.
3. Select “Help” → “About Google Chrome” – This will open a new tab that shows your current version and automatically checks for updates.
4. Wait for Chrome to Check for Updates – If a newer version is available, Chrome will start downloading it right away.
5. Click “Relaunch” – Once the update is downloaded, click “Relaunch” to restart the browser and complete the installation.

To confirm the update, go back to Help > About Google Chrome. The browser should now show the latest version number and the message “Google Chrome is up to date.”

If you’re on Windows, make sure the Chrome Update service is enabled in your system settings or through the Group Policy Editor. On Linux systems, especially those using Chromium, updates may require package manager commands or manual downloads depending on the distribution.

Wazuh’s blog post explains the importance of proactive vulnerability detection. Their tools provide real-time tracking and insights that help administrators stay on top of security threats, especially when zero-day flaws like this one come into play.