The internet giant said it reported the bug to Microsoft 10 days ago but the company has done nothing to address the issue publicly.
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.
“This vulnerability is particularly serious because we know it is being actively exploited,” Google said in a blog post on Monday.
Google said it has already deployed a fix to protect Chrome users, but Windows is still vulnerable.
“We encourage users to verify that auto-updaters have already updated Flash and to manually update if not and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” the blog post added.