Google Chrome Patching 3 High Security Flaws Highlights Browser Security
Google Chrome emergency security update tracked as CVE-2026-2441; Highlights Browser Security
Continue ReadingGoogle chrome
Chrome Security Updates by Google Released For Actively Exploited Zero-Day 2026
Chrome update released to patch a zero-day vulnerability that has been exploited in the wild.
Continue Reading
Malicious Extensions Copies Legitimate Apps; Chrome Under Spotlight
Chrome under spotlight
Continue Reading
Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild
Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .
| OEM | |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-13223, CVE-2025-13224 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Type Confusion Vulnerability in V8 JavaScript Engine | CVE-2025-13223 | Google Chrome | High | v142.0.7444.175 / v142.0.7444.176 |
| Type Confusion Vulnerability in V8 JavaScript Engine | CVE-2025-13224 | Google Chrome | High | v142.0.7444.175 / v142.0.7444.176 |
Technical Summary
Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.
Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.
These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-13223 | Google Chrome (V8 Engine) | Type confusion due to improper type handling in V8 allowing memory corruption. | Remote Code Execution, Sandbox Escape |
| CVE-2025-13224 | Google Chrome (V8 Engine) | Type confusion triggered during script execution, discovered via fuzzing | Remote Code Execution, Browser Crash |
Remediation:
- Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions:
- Windows: 142.0.7444.175 / 142.0.7444.176
- MacOS: 142.0.7444.176
- Linux: 142.0.7444.175
Here are some recommendations below
- Enforce Chrome auto-updates on all endpoints via enterprise policies.
- Monitor browser crash logs and unusual behaviors tied to JavaScript execution.
- Run updated vulnerability & patch management tools to ensure full endpoint compliance.
- Educate users to avoid suspicious links and unknown websites during active exploitation events
Conclusion:
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world.
References:
Chrome Latest Update Fixes Multiple High-Severity Security Flaws
Summary : The recent Google Chrome update fixed several serious security issues that could let hackers take control of the browser or steal personal data. These vulnerabilities were mostly related to memory handling and scripting errors in important parts of Chrome like the JavaScript engine (V8) and browser interfaces.
| OEM | |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-12725, CVE-2025-12726, CVE-2025-12727, CVE-2025-12728, CVE-2025-12729 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Problems like type confusion and memory misuse could allow attackers to run harmful code just by making users visit malicious websites. Some flaws also affected Chrome’s UI, media processing and extension systems exposing users to possible unauthorized access or data leaks.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-Bounds Write in WebGPU | CVE-2025-12725 | Chrome | High | 142.0.7444.134/135 |
| Inappropriate Implementation in Views (UI Rendering) | CVE-2025-12726 | Chrome | High | 142.0.7444.134/135 |
| Inappropriate Memory Handling in V8 JavaScript Engine | CVE-2025-12727 | Chrome | High | 142.0.7444.134/135 |
| Inappropriate Implementation in Omnibox (Unified Search Bar) | CVE-2025-12728 | Chrome | Medium | 142.0.7444.134/135 |
| Inappropriate Implementation in Omnibox (Unified Search Bar) | CVE-2025-12729 | Chrome | Medium | 142.0.7444.134/135 |
Technical Summary
The bugs included memory corruption issues such as out-of-bound writings and use-after-free errors, which can lead to unpredictable behavior and remote code execution (RCE).
The JavaScript engine vulnerabilities involved mishandling data types or incorrect implementation, enabling attackers to break security boundaries.
Other issues involved UI security logic problems that could mislead users or weaken protections. Google patched all these weaknesses by tightening input validations, fixing memory lifecycle bugs, correcting UI behavior and strengthening internal security checks.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-12725 | Google Chrome (WebGPU) | Out-of-bounds write in WebGPU due to improper bounds checking, allowing attackers to overwrite memory beyond allocated limits. | Remote Code Execution / Browser Crash |
| CVE-2025-12726 | Google Chrome (Views UI) | Inappropriate implementation in the Views component causing memory corruption. | UI rendering |
| CVE-2025-12727 | Google Chrome (V8 Engine) | Improper handling in the V8 JavaScript engine enabling potential arbitrary code execution through crafted scripts. | Remote Code Execution |
| CVE-2025-12728 | Google Chrome (Omnibox) | Flaws in Omnibox’s implementation could allow UI spoofing or navigation bar manipulation. | UI Spoofing |
| CVE-2025-12729 | Google Chrome (Omnibox) | Similar flaws in Omnibox affecting input validation, leading to potential security bypasses or deceptive UI. | UI Spoofing / Security Bypass |
Recommendations
Update Chrome immediately to the following versions:
- For windows 142.0.7444.134/.135
- For MacOS 142.0.7444.135
- For Linux 142.0.7444.134
You can update by Open Chrome Settings → Help → About Google Chrome, then allow Chrome to check for and install updates immediately.
Along with update you can follow the recommendations below as well
- Enforce Chrome auto-updates across managed endpoints using enterprise policy controls.
- Actively monitor browser crash reports or any suspicious logs potentially linked to exploit attempts.
- Use vulnerability & patch management tools to ensure all endpoints are running the latest version of all applications.
Conclusion:
The Chrome security flaws can compromise devices just through browsing. Because millions use Chrome daily, these gaps were a high risk and google already patched those issues. Keeping any application to the latest version which is the best defense against cyber threats aiming at browsers.
References:
Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode
Atlas’s autofill and form interaction capabilities present potential attack points
As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.
These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.
For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.
Rate of Vulnerability is 90% A Warning for Users
The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.
There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.
Key pointers from research
ChatGPT’s Atlas is not resilient to Phishing attacks
Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate
Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),
ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages
Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.
The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.
Importance of Security by Design for web browsing & How AI is intricately involved
The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.
But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.
Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.
This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.
Is User’s security getting compromised
The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can influence the AI’s behavior if browsing and this can happen across multiple tabs.
In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.
Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.
(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)
Google Chrome Patched High-Severity Memory Vulnerabilities
Summary : Security Advisory: Google recently rolled out an update for Chrome to address two high & and one medium severity vulnerabilities.
| OEM | |
| Severity | High |
| CVSS Score | 8.0 |
| CVEs | CVE-2025-11458, CVE-2025-11460, CVE-2025-11211 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A heap buffer overflow in the Sync component and a use-after-free (UAF) vulnerability in the Storage component have been fixed, along with other security issues.
Users and administrators are advised to apply the latest patch as soon as possible to ensure their systems remain secure.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Heap Buffer Overflow in Sync | CVE-2025-11458 | Chrome (Windows, Mac, Linux) | High | 141.0.7390.65/66 |
| Use-After-Free in Storage | CVE-2025-11460 | Chrome (Windows, Mac, Linux) | High | 141.0.7390.65/66 |
| Out-of-Bounds Read in WebCodecs | CVE-2025-11211 | Chrome (Windows, Mac, Linux) | Medium | 141.0.7390.65/66 |
Technical Summary
Google released an update for the Chrome Stable channel, addresses three significant security vulnerabilities related to memory safety. The update addresses multiple critical memory-related vulnerabilities within Chrome’s core components.
These include a flaw that could allow attackers to corrupt memory during browser data synchronization, potentially enabling arbitrary code execution, and another vulnerability in the storage system that involves improper memory handling after an object is freed, which could also lead to exploitation through crafted web content.
Additionally, a medium-severity issue was fixed in the media processing API that could cause exposure of sensitive memory or impact browser stability when handling certain media files. These fixes are part of ongoing efforts to improve browser security by mitigating risks of remote code execution, data exposure, and crashes.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11458 | Chrome Sync component | Heap buffer overflow in the Sync component could allow memory corruption and potentially enable arbitrary code execution when handling synchronization data. | Remote Code Execution / Data Leakage |
| CVE-2025-11460 | Chrome Storage component | Use-after-free in the Storage component could allow attackers to access freed memory, potentially leading to code execution or information disclosure. | Remote Code Execution / Browser Instability |
| CVE-2025-11211 | Chrome WebCodecs API | Out-of-bounds read in the WebCodecs API could expose memory contents or crash the browser when processing malformed media inputs. | Memory Disclosure / Browser Crash |
Recommendations
Update Chrome immediately to the following versions:
- Windows/Mac: Chrome v141.0.7390.65/66
- Linux: Chrome v141.0.7390.65
Here are bellow recommended actions
- Manual Update Check: Navigate to Settings → Help → About Google Chrome to force update.
- Enterprise Patch Management: Enforce Chrome auto-updates across managed systems.
- Threat Monitoring: Actively monitor browser crash reports, endpoint security alerts, and system/network logs for suspicious behavior.
Conclusion:
This update reflects Chrome’s continued commitment to robust browser security by addressing multiple critical memory vulnerabilities that could otherwise be exploited for remote code execution, data exposure, or browser instability.
Promptly applying updates is essential to reduce potential attack surfaces, maintain browser stability, and safeguard user data against emerging threats.
References:
Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities
Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.
| OEM | |
| Severity | High |
| CVSS Score | N/A |
| CVEs | CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Type Confusion in V8 Engine | CVE-2025-10585 | Chrome (Windows, Mac, Linux) | High | 140.0.7339.185/.186 |
Technical Summary
The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.
Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.
This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-10585 | Google Chrome (Windows, Mac, Linux) | Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape | Remote Code Execution / Sandbox Escape |
Other Vulnerabilities
In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release.
| Vulnerability Name | CVE ID | Affected Component | Severity |
| Use-after-free in Dawn | CVE-2025-10500 | Chrome GPU Renderer Component (Dawn) | High |
| Use-after-free in WebRTC | CVE-2025-10501 | Chrome WebRTC Audio/Video Communication Module | High |
| Heap Buffer Overflow in ANGLE | CVE-2025-10502 | Chrome Graphics Translation Engine (ANGLE) | High |
Recommendations:
Update Chrome immediately to the following versions:
- Windows/Mac: Chrome 140.0.7339.185/.186
- Linux: Chrome 140.0.7339.185
Here are some Recommendations below
- Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update.
- Patch Management: Ensure enterprise update policies enforce Chrome auto-updates.
- Threat Monitoring: Keep monitoring logs for any signs of exploitation
Conclusion:
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.
Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats.
References:
- https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/
Chrome Update Released, Fixes RCE & Multiple Vulnerabilities
Summary
| OEM | Google Chrome |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-9864, CVE-2025-9865, CVE-2025-9866, CVE-2025-9867 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Several security vulnerabilities were recently identified in Chromium-based browsers, affecting components such as the V8 JavaScript engine, Toolbar, Extensions and Downloads. The high severity vulnerability, use-after-free issue, could allow attackers to execute arbitrary code.
Additional medium-severity bugs were found in the Toolbar, Extensions, and Downloads components. The Chrome team has started rolling out Chrome 140 to the stable channel, and users are urged to update their browsers to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Use-after-free vulnerability in V8 | CVE-2025-9864 | Chrome | High | v140.0.7339.80/81 |
| Inappropriate implementation vulnerability in Toolbar | CVE-2025-9865 | Chrome | Medium | v140.0.7339.80/81 |
| Inappropriate implementation vulnerability in Extensions | CVE-2025-9866 | Chrome | Medium | v140.0.7339.80/81 |
| Inappropriate implementation vulnerability in Downloads | CVE-2025-9867 | Chrome | Medium | v140.0.7339.80/81 |
Technical Summary
Multiple vulnerabilities were addressed in Google Chrome prior to version 140.0.7339.80. The most critical, CVE-2025-9864, is a use-after-free issue in the V8 JavaScript engine that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Other medium-severity issues include a Toolbar vulnerability on Android that could be exploited via specific user gestures to spoof domains, a security gap in Extensions allowing attackers to bypass content security policies, and a Downloads flaw on Android that enabled UI spoofing through manipulated web pages.
These could allow attackers to misuse Chrome’s features or gain higher system privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-9864 | Chrome v139 and prior | Use-after-free in V8 engine could allow attackers to execute arbitrary code via malicious webpage | Remote Code Execution |
| CVE-2025-9865 | Chrome v139 and prior | Improper handling Chrome’s Toolbar component could allow attackers misuse browser functions or gain privilege access | Domain Spoofing / UI Spoofing |
| CVE-2025-9866 | Chrome v139 and prior | Inappropriate implementation in Chrome’s Extensions system, could allow attackers misuse or bypass content security policy | Content Security Policy Bypass |
| CVE-2025-9867 | Chrome v139 and prior | Improper validation in Chrome’s Downloads could allow attackers to perform UI spoofing via crafted HTML | UI Spoofing |
Remediation:
References:
- https://gbhackers.com/chrome-140-release/
Critical Chrome Use-After-Free Vulnerability in ANGLE Graphics Library
Security Advisory: A critical use-after-free vulnerability has been identified in the ANGLE graphics library used by Google Chrome which enables applications designed for OpenGL ES (OpenGL used on mobile and embedded devices) or WebGL (a web-based 3D graphics API) to run on platforms that primarily use other graphics APIs, such as DirectX on Windows or Vulkan on Android.
| OEM | Google Chrome |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-9478 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This vulnerability could allow attackers to take control of your device simply by visiting a harmful website using HTML or WebGL which is just opening the wrong page could let hackers run their own code on our system.
Google has already fixed this problem in the latest Chrome update (version 139.0.7258.154/.155 for Windows & macOS and 139.0.7258.154 for Linux). Users and administrators are strongly advised to apply the latest updates immediately.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Use-After-Free Vulnerability in ANGLE | CVE-2025- 9478 | Google Chrome | High | v139.0.7258.154/.155 (Win/Mac), v139.0.7258.154 (Linux) |
Technical Summary
This security issue happens when Chrome accidentally reuses computer memory that should no longer be in use. This is exploited by the attacker, if we visit a harmful website designed by cybercriminals, it can secretly run special graphics commands (through WebGL or Canvas). This could corrupt our system’s memory, crash our browser, or allow hackers to run their own code on our device remotely.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 9478 | Chrome < 139.0.7258.154 | A Vulnerability in Chrome’s graphics engine lets attackers reuse cleared memory through specially designed HTML/WebGL input. | Remote code execution, Data theft |
Remediation:
- Update to Chrome latest versions 139.0.7258.154/.155 on Windows/macOS or 139.0.7258.154 on Linux or the later one.
Here are some recommendations below
- Keep monitoring the logs for suspicious activities unusual WebGL or graphics API call.
- Conduct user awareness training to educate users about the risks of malicious websites, avoiding unknown links.
Conclusion:
This is a high-severity Chrome vulnerability that could allow remote code execution via malicious WebGL content. Although not yet exploited in the wild but immediate patching is essential. Users should update Chrome, monitor unusual graphics activity and stay informed about malicious website risks to ensure strong browser security.
References:
Recent Comments