An anonymous researcher picked up a $25,633 bug bounty for discovering a critical vulnerability in Chrome (CVE-2016-1629), which Google has now patched in version 48.0.2564.

While Google won't release details of the bug until the majority of users have had time to update, the company noted that it was a “same-origin bypass in Blink and Sandbox escape in Chrome.”

Google said it “will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed.”

Earlier this year, with the release of Chrome 48.0.2564.82 Google promoted Chrome 48 into the stable channel for Linux, Mac and Windows.