The Google Chrome team has officially pushed Chrome 134 to the stable channel for Windows (134.0.6998.35/36), Mac (134.0.6998.44/45), and Linux (134.0.6998.35), bringing with it a critical set of security patches. This update, which will gradually roll out to users over the coming days and weeks, addresses 14 security vulnerabilities, including a high-severity flaw in the V8 JavaScript engine.
At the forefront of these fixes is CVE-2025-1914, a high-severity out-of-bounds read vulnerability in V8, Chrome’s JavaScript engine. This flaw, reported by Zhenghang Xiao (@Kipreyyy) and Nan Wang (@eternalsakura13), earned a substantial $7,000 reward. An out-of-bounds read can allow malicious actors to access sensitive data or even execute arbitrary code, making it a critical threat.
Beyond the V8 vulnerability, Chrome 134 addresses a range of medium and low-severity issues across various components. Notably, CVE-2025-1915, a medium-severity vulnerability in DevTools involving improper limitation of pathnames, was reported by Topi Lassila and earned a $4,000 reward.
Other significant fixes include:
- CVE-2025-1916: A use-after-free vulnerability in Profiles, reported by parkminchan, SSD Labs Korea ($3,000 reward).
- Multiple out-of-bounds read vulnerabilities in PDFium and Media (CVE-2025-1918, CVE-2025-1919), highlighting the importance of keeping media handling components updated.
- Inappropriate implementations in Browser UI, Media Stream, Selection, and Permission Prompts (CVE-2025-1917, CVE-2025-1921, CVE-2025-1922, CVE-2025-1923).
Given the severity of the V8 vulnerability and the range of other security fixes, users are strongly advised to update their Chrome browsers to version 134 as soon as it becomes available. The update will roll out progressively, so users should check for updates regularly.
Related Posts:
- Google Bug Bounty Program Expands to Chrome V8 and Google Cloud
- New Chrome 0-Day Bug Under Active Attack
- Chrome will no longer flag HTTPS pages as secure sites
