Chrome 136 Fixes 20-Year-Old Privacy Bug in Latest Update

Google has begun rolling out Chrome 136 to the stable channel for Windows, Mac, and Linux, bringing significant security and privacy upgrades to millions of users worldwide.

The update, set to be distributed over the coming days and weeks, addresses a range of vulnerabilities. However, its most notable change closes a privacy loophole that has persisted for over two decades.

Since the early days of web browsing, browsers have visually distinguished visited links, usually with a different color, to help users navigate online.

However, this feature has harbored a serious privacy flaw: websites have been able to detect whether a user has visited certain links elsewhere by exploiting how browsers, including Chrome, handled the CSS :visited selector.

This loophole exposed users to potential tracking and profiling, as malicious sites could stealthily probe a user’s browsing history based on the appearance of links.

According to a Cyber Security News report, with Chrome 136, Google has radically changed how visited links are tracked. The browser now employs a “triple-key partitioning” system, storing the visited status of links using three elements: the specific link URL, the top-level site, and the frame origin.

This means only the site where the link originates can access information about its visited status, closing the door on cross-site history sniffing once and for all.

Navigational cues remain intact for users within the same site but no longer compromise privacy across the web.

Security Fixes and Bug Bounties

Alongside this privacy breakthrough, Chrome 136 patches eight other security vulnerabilities, several found by independent researchers:

• A critical heap buffer overflow in HTML (CVE-2025-4096): Rewarded with $5,000.
• Two medium-severity issues in DevTools: Out-of-bounds memory access (CVE-2025-4050) and insufficient data validation (CVE-2025-4051), each earning $2,000.
• A low-severity bug in DevTools (CVE-2025-4052): Awarded $1,000.

Many additional fixes stem from internal audits and advanced security technologies, including AddressSanitizer and MemorySanitizer, further securing the platform for all users.

The extended stable release (v136.0.7103.48/49) has also been updated for enterprise users, making these critical protections more widely available.

Google encourages all Chrome users to update their browsers as Chrome 136 rolls out. Users can anticipate upcoming blog posts highlighting new features and significant progress made in this release.

By finally closing a decades-old privacy gap, Chrome 136 sets a new standard for browser security and user trust, demonstrating Google’s ongoing commitment to privacy-first innovation.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!