What's Happening
On May 19, 2026, Google released proof-of-concept (PoC) exploit code for CVE-2025-4664 — a critical use-after-free vulnerability in Chromium's LDAP component. The disclosure came as part of Google's normal coordinated vulnerability disclosure process, but the timing is raising alarms across the security community.
The vulnerability affects Chrome, Edge, Brave, and any Chromium-based browser. An attacker could exploit it via a specially crafted web page to achieve arbitrary code execution.
Why This Is Serious
Use-after-free bugs are particularly dangerous because they exploit memory management errors. When a program frees memory but continues to use a pointer to that memory, an attacker can hijack the freed memory block and execute arbitrary code.
Here's what makes CVE-2025-4664 especially alarming:
- Active exploitation confirmed: This is not theoretical — Google explicitly warns it has been exploited in the wild.
- LDAP component exposure: Chromium's LDAP handling is less scrutinized than its rendering engine, making this a relatively easy attack surface.
- Wide browser impact: Every Chromium-based browser is potentially affected, not just Chrome.
- PoC now public: The release of exploit code means attackers no longer need to reverse-engineer the patch — they can build exploits immediately.
What Builders Should Do Right Now
1. Update Immediately
If you're shipping a Chromium-based product or managing end-user machines, force-update to the latest version:
- Chrome: 137.0.7103.113+ (stable)
- Edge: 137.0.7103.113+ (stable)
- Brave: 1.76.x or newer
chrome://settings/help to verify your build number. If you manage fleet deployments, push updates through your MDM or policy engine now — don't wait for the next scheduled rollout.
2. Check Your Browser Dependency Tree
Many server-side tools and CI/CD pipelines run headless Chromium for testing, scraping, or automation. Audit your package.json, Docker images, and deployment configs:
# Check Chrome version in common contexts
google-chrome --version
chromium-browser --version
node -e "require('playwright') && console.log('Playwright browser:', require('playwright/package.json').version)"If you're using Puppeteer, Playwright, or puppeteer-sharp, update the bundled Chromium immediately.
3. Consider Browser Isolation
For high-value targets (executives, security teams, devs with repo access), browser isolation or hardening tools like I桐Browser or Ghostery can reduce exposure. The attack requires a malicious page — isolation prevents that page from executing in your primary browser context.
4. Monitor for IOCs
While there's no confirmed mass exploitation campaign yet, the release of PoC code typically triggers scanning within hours. Watch for:
- Unexplained high CPU usage in browser processes
- Unexpected outbound connections on ports 389, 636 (LDAP)
- Unfamiliar extensions or plugins appearing in browser settings
The Disclosure Controversy
Security researchers are debating whether Google's decision to publish PoC code was the right call. On one side, transparency helps defenders build better detection rules. On the other, it gives attackers a head start they didn't have before.
The practical reality: attackers likely already had working exploits given the in-the-wild exploitation. Publishing the PoC levels the playing field for defenders — but only if those defenders act fast.
Bottom Line
This is a 9.8 CVSS severity vulnerability with active exploitation. If you manage any Chromium-based infrastructure, your action items are clear:
The window between PoC publication and mass exploitation is measured in days, not weeks. Move now.