A security researcher has secured the top payout in Google’s Chrome bug bounty program after uncovering a severe vulnerability that allowed a sandbox escape combined with remote code execution.

The flaw, officially identified as CVE-2025-4609, was submitted to Google on April 22 by a researcher known online as Micky. Google released a patch in mid-May as part of the Chrome 136 update, and the full technical details have now been disclosed.

According to Google, the vulnerability resided in Chrome’s Mojo inter-process communication system and was classified as high severity. Micky’s proof-of-concept exploit successfully bypassed Chrome’s sandbox restrictions and executed system commands — demonstrated by launching the calculator application — with a success rate of 70–80%.

Typically, exploitation of such vulnerabilities requires luring a victim into visiting a specially crafted, malicious website.

The $250,000 reward is the maximum amount Google offers for a Chrome sandbox escape vulnerability, but it is only granted for submissions that include a detailed, high-quality report, a working remote code execution exploit, and thorough technical analysis.

In its official acknowledgment, Google described CVE-2025-4609 as “a very complex logic bug” and praised the submission for providing “a functional exploit, with strong analysis and clear demonstration of a sandbox escape.”

Earlier this year, Google revealed that it paid out $12 million through its vulnerability reward programs in 2024, with the largest single payout at that time being $110,000 — making this $250,000 reward a new milestone for Chrome security research.

Source: https://www.securityweek.com/chrome-sandbox-escape-earns-researcher-250000