Chrome 136 Released With Patch For 20-Year-Old Privacy Vulnerability

The Chrome team has officially promoted Chrome 136 to the stable channel for Windows, Mac, and Linux, marking a significant update for users across platforms.

The rollout, which will occur over the coming days and weeks, brings a host of fixes and improvements, with a particular focus on security and privacy enhancements.

One of the most notable changes in Chrome 136 is the resolution of a privacy flaw that has existed for over 20 years. This longstanding issue allowed websites to determine which links users had previously visited by exploiting the browser’s handling of the CSS :visited selector.

Traditionally, browsers display visited links in a different color (often purple). Still, this styling was applied globally, meaning any website could potentially detect if a user had visited a particular link elsewhere.

This design flaw exposed users to tracking, profiling, and even phishing attacks, as malicious sites could probe a user’s browsing history by checking the color state of links. In Chrome 136, Google has implemented a new triple-key partitioning system for visited links.

Now, the visited status is stored using three keys: the link URL, the top-level site, and the frame origin. This change ensures that only the originating site can access information about visited links, effectively eliminating cross-site history leaks.

For usability, visited links will still be marked as such within the same site, preserving familiar navigation cues without compromising privacy.

Security Fixes and Rewards

Chrome 136 also addresses eight security vulnerabilities, several of which were discovered by external researchers. Highlights include:

• A high-severity heap buffer overflow in HTML (CVE-2025-4096), earning a $5,000 reward.
• Two medium-severity issues in DevTools: out-of-bounds memory access (CVE-2025-4050) and insufficient data validation (CVE-2025-4051), both rewarded at $2,000.
• A low-severity inappropriate implementation in DevTools (CVE-2025-4052), with a $1,000 reward.

In addition to these externally reported bugs, Google’s internal security teams contributed numerous fixes through audits, fuzzing, and advanced sanitization tools such as AddressSanitizer and MemorySanitizer.

The extended stable channel has also been updated to version 136.0.7103.48/49 for Windows and Mac, ensuring that enterprise and risk-averse users benefit from these critical security and privacy improvements.

Users are encouraged to update their browsers as soon as Chrome 136 becomes available and to stay tuned for upcoming blog posts detailing new features and major efforts delivered in this release.

Closing a decades-long privacy gap, Chrome 136 represents a major step forward in user security and trust.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.