Chrome Update Released, Fixes RCE & Multiple Vulnerabilities
Summary
| OEM | Google Chrome |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-9864, CVE-2025-9865, CVE-2025-9866, CVE-2025-9867 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Several security vulnerabilities were recently identified in Chromium-based browsers, affecting components such as the V8 JavaScript engine, Toolbar, Extensions and Downloads. The high severity vulnerability, use-after-free issue, could allow attackers to execute arbitrary code.
Additional medium-severity bugs were found in the Toolbar, Extensions, and Downloads components. The Chrome team has started rolling out Chrome 140 to the stable channel, and users are urged to update their browsers to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Use-after-free vulnerability in V8 | CVE-2025-9864 | Chrome | High | v140.0.7339.80/81 |
| Inappropriate implementation vulnerability in Toolbar | CVE-2025-9865 | Chrome | Medium | v140.0.7339.80/81 |
| Inappropriate implementation vulnerability in Extensions | CVE-2025-9866 | Chrome | Medium | v140.0.7339.80/81 |
| Inappropriate implementation vulnerability in Downloads | CVE-2025-9867 | Chrome | Medium | v140.0.7339.80/81 |
Technical Summary
Multiple vulnerabilities were addressed in Google Chrome prior to version 140.0.7339.80. The most critical, CVE-2025-9864, is a use-after-free issue in the V8 JavaScript engine that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Other medium-severity issues include a Toolbar vulnerability on Android that could be exploited via specific user gestures to spoof domains, a security gap in Extensions allowing attackers to bypass content security policies, and a Downloads flaw on Android that enabled UI spoofing through manipulated web pages.
These could allow attackers to misuse Chrome’s features or gain higher system privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-9864 | Chrome v139 and prior | Use-after-free in V8 engine could allow attackers to execute arbitrary code via malicious webpage | Remote Code Execution |
| CVE-2025-9865 | Chrome v139 and prior | Improper handling Chrome’s Toolbar component could allow attackers misuse browser functions or gain privilege access | Domain Spoofing / UI Spoofing |
| CVE-2025-9866 | Chrome v139 and prior | Inappropriate implementation in Chrome’s Extensions system, could allow attackers misuse or bypass content security policy | Content Security Policy Bypass |
| CVE-2025-9867 | Chrome v139 and prior | Improper validation in Chrome’s Downloads could allow attackers to perform UI spoofing via crafted HTML | UI Spoofing |
Remediation:
References:
- https://gbhackers.com/chrome-140-release/
Recent Comments