Google Chrome Patching 3 High Security Flaws Highlights Browser Security
Google Chrome emergency security update tracked as CVE-2026-2441; Highlights Browser Security
Continue ReadingBrowser security
Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms
Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.
The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.
| OEM | Mozilla |
| Severity | High |
| Date of Announcement | 2025-11-11 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Graphics Race Condition Enabling Remote Code Execution | CVE-2025-13012 | Firefox | High |
| WebAssembly Boundary Error RCE | CVE-2025-13016 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13021 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13022 | Firefox | High |
| WebGPU Sandbox Escape via Boundary Flaw | CVE-2025-13023 | Firefox | High |
| JavaScript Engine JIT Miscompilation RCE | CVE-2025-13024 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13025 | Firefox | High |
| WebGPU Sandbox Escape and Code Execution | CVE-2025-13026 | Firefox | High |
| Memory Safety Bugs Allowing Arbitrary Code Execution | CVE-2025-13027 | Firefox, Thunderbird | High |
Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.
The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity.
Technical Summary
Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.
Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.
Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-13012 | Graphics Subsystem | Race condition vulnerability leads to system crash or remote execution. | Remote Code Execution |
| CVE-2025-13016 | JavaScript: WebAssembly | Incorrect memory boundary validation allows code execution through crafted scripts. | Remote Code Execution |
| CVE-2025-13021 | Graphics: WebGPU | Boundary condition errors may cause memory corruption and remote code execution. | Remote Code Execution |
| CVE-2025-13022 | Graphics: WebGPU | Boundary error in WebGPU rendering pipeline allowing memory corruption | Remote Code Execution |
| CVE-2025-13023 | Graphics: WebGPU | Sandbox escape via boundary flaw enabling code execution outside browser process. | Sandbox Escape, RCE |
| CVE-2025-13024 | JavaScript Engine: JIT | JIT miscompilation allows stealthy remote code execution within browser context. | Remote Code Execution |
| CVE-2025-13025 | Graphics: WebGPU | Improper memory boundary control in WebGPU leads to RCE. | Remote Code Execution |
| CVE-2025-13026 | Graphics: WebGPU | Sandbox escape enabling remote code execution beyond browser sandbox. | Sandbox Escape, RCE |
| CVE-2025-13027 | Firefox / Thunderbird | Memory safety errors across multiple components allow arbitrary code execution. | Remote Code Execution |
Source: Microsoft, Cybersecurity News
In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems –
- CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium)
- CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium)
- CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium)
- CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium)
- CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium)
- CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)
- CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low)
Recommendations:
- Update all Firefox to version 145 immediately to mitigate the vulnerabilities.
Here are some recommendations below
- Enable automatic browser updates across all systems.
- Perform vulnerability scans to ensure no outdated browser versions remain.
- Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential.
- Educate employees about risks from phishing, drive-by downloads and malicious extensions.
Conclusion:
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.
Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws.
Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.
References:
Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode
Atlas’s autofill and form interaction capabilities present potential attack points
As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.
These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.
For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.
Rate of Vulnerability is 90% A Warning for Users
The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.
There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.
Key pointers from research
ChatGPT’s Atlas is not resilient to Phishing attacks
Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate
Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),
ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages
Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.
The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.
Importance of Security by Design for web browsing & How AI is intricately involved
The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.
But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.
Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.
This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.
Is User’s security getting compromised
The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can influence the AI’s behavior if browsing and this can happen across multiple tabs.
In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.
Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.
(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)
Google Chrome Patched High-Severity Memory Vulnerabilities
Summary : Security Advisory: Google recently rolled out an update for Chrome to address two high & and one medium severity vulnerabilities.
| OEM | |
| Severity | High |
| CVSS Score | 8.0 |
| CVEs | CVE-2025-11458, CVE-2025-11460, CVE-2025-11211 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A heap buffer overflow in the Sync component and a use-after-free (UAF) vulnerability in the Storage component have been fixed, along with other security issues.
Users and administrators are advised to apply the latest patch as soon as possible to ensure their systems remain secure.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Heap Buffer Overflow in Sync | CVE-2025-11458 | Chrome (Windows, Mac, Linux) | High | 141.0.7390.65/66 |
| Use-After-Free in Storage | CVE-2025-11460 | Chrome (Windows, Mac, Linux) | High | 141.0.7390.65/66 |
| Out-of-Bounds Read in WebCodecs | CVE-2025-11211 | Chrome (Windows, Mac, Linux) | Medium | 141.0.7390.65/66 |
Technical Summary
Google released an update for the Chrome Stable channel, addresses three significant security vulnerabilities related to memory safety. The update addresses multiple critical memory-related vulnerabilities within Chrome’s core components.
These include a flaw that could allow attackers to corrupt memory during browser data synchronization, potentially enabling arbitrary code execution, and another vulnerability in the storage system that involves improper memory handling after an object is freed, which could also lead to exploitation through crafted web content.
Additionally, a medium-severity issue was fixed in the media processing API that could cause exposure of sensitive memory or impact browser stability when handling certain media files. These fixes are part of ongoing efforts to improve browser security by mitigating risks of remote code execution, data exposure, and crashes.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11458 | Chrome Sync component | Heap buffer overflow in the Sync component could allow memory corruption and potentially enable arbitrary code execution when handling synchronization data. | Remote Code Execution / Data Leakage |
| CVE-2025-11460 | Chrome Storage component | Use-after-free in the Storage component could allow attackers to access freed memory, potentially leading to code execution or information disclosure. | Remote Code Execution / Browser Instability |
| CVE-2025-11211 | Chrome WebCodecs API | Out-of-bounds read in the WebCodecs API could expose memory contents or crash the browser when processing malformed media inputs. | Memory Disclosure / Browser Crash |
Recommendations
Update Chrome immediately to the following versions:
- Windows/Mac: Chrome v141.0.7390.65/66
- Linux: Chrome v141.0.7390.65
Here are bellow recommended actions
- Manual Update Check: Navigate to Settings → Help → About Google Chrome to force update.
- Enterprise Patch Management: Enforce Chrome auto-updates across managed systems.
- Threat Monitoring: Actively monitor browser crash reports, endpoint security alerts, and system/network logs for suspicious behavior.
Conclusion:
This update reflects Chrome’s continued commitment to robust browser security by addressing multiple critical memory vulnerabilities that could otherwise be exploited for remote code execution, data exposure, or browser instability.
Promptly applying updates is essential to reduce potential attack surfaces, maintain browser stability, and safeguard user data against emerging threats.
References:
Google Addresses Actively Exploited Zero-Day Vulnerability CVE-2025-6558 in Chrome
Google has issued a critical emergency update for the Chrome browser to address CVE-2025-6558, a zero-day vulnerability that is actively being exploited in the wild. This high-severity flaw exists in Chrome’s ANGLE and GPU components, which are responsible for rendering graphics in the browser.
Summary
| OEM | |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-6558 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Exploitation of this vulnerability could allow attackers to execute malicious code or gain unauthorized access to user systems. The update is being rolled out for Windows, macOS and Linux platforms.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper Input Validation in ANGLE/GPU Stack vulnerability | CVE-2025-6558 | Google Chrome | High (Zero-day) | 138.0.7204.157/.158 (Windows/macOS), 138.0.7204.157 (Linux) |
Technical Summary
CVE-2025-6558 is a high-severity vulnerability caused by improper validation of untrusted input in Chrome’s ANGLE (Almost Native Graphics Layer Engine) and GPU components. These components translate graphics instructions and interact closely with the system’s native APIs.
The flaw was discovered by Google’s Threat Analysis Group (TAG) and is being actively exploited in real-world attacks. If left unpatched, it could enable attackers to compromise the browser rendering process and potentially execute arbitrary code on the user’s device.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6558 | Chrome on Windows, macOS, Linux | Untrusted input is incorrectly validated, allowing malicious manipulation of graphics rendering | Remote code execution through active exploitation |
Additional Vulnerabilities Patched in This Update
In addition to the zero-day CVE-2025-6558, Google also addressed two other high-severity vulnerabilities as part of this update:
- CVE-2025-7656 – An integer overflow vulnerability in Chrome’s V8 JavaScript engine, which could be exploited to corrupt memory and potentially achieve remote code execution. This flaw was reported by security researcher Shaheen Fazim.
- CVE-2025-7657 – A use-after-free vulnerability in the WebRTC (Web Real-Time Communication) component. Improper memory handling in real-time communication features could allow attackers to crash the browser or execute arbitrary code remotely. This issue was reported by researcher jakebiles.
Remediation:
- Users should immediately update Google Chrome to the latest patched version:
- Windows & Mac: 138.0.7204.157/.158
- Linux: 138.0.7204.157
Conclusion:
CVE-2025-6558 highlights the growing complexity of securing browser components such as ANGLE and GPU. With confirmed active exploitation, users and administrators must prioritize this update to prevent potential remote code execution attacks.
Timely patching remains one of the most effective defenses against modern browser-based threats.
References:
Recent Comments