Chrome Stable Update 139 Blocks High-Severity Exploits in V8, libaom, and ANGLE

Google has rolled out a Stable Channel update for desktop users, bringing Chrome to version 139.0.7258.127/.128 for Windows and Mac, and 139.0.7258.127 for Linux. The update will reach users over the coming days and weeks. In line with its security policy, Google is keeping bug details restricted until most users have updated, to reduce the risk of active exploitation. Restrictions may remain if a flaw also exists in a third-party library that other projects depend on but have yet to patch.

CVE-2025-8879 – Heap Buffer Overflow in libaom

A heap buffer overflow was discovered in libaom, the widely used AV1 video codec library. This vulnerability allows attackers to write data beyond allocated memory boundaries, which could lead to arbitrary code execution. Given the prevalence of libaom in modern browsers and multimedia applications, this flaw poses a high risk of compromise when processing maliciously crafted AV1 video streams. The issue was reported by an anonymous researcher on July 15, 2025, and has been addressed in this release.

CVE-2025-8880 – Race Condition in V8

A race condition was identified in Chrome’s V8 JavaScript engine, reported by Seunghyun Lee (@0x10n) on July 23, 2025. This type of vulnerability occurs when the timing of events in multithreaded code can be manipulated to cause unintended behavior. In this case, an attacker could potentially execute code outside of intended sandbox restrictions, leading to a complete browser compromise. Due to V8’s role in handling JavaScript across all Chrome tabs and processes, exploiting such a flaw can be a powerful attack vector.

CVE-2025-8901 – Out-of-Bounds Write in ANGLE

Researchers from Google Big Sleep reported an out-of-bounds write in ANGLE on July 30, 2025. ANGLE is Chrome’s graphics abstraction layer that translates OpenGL ES calls to other APIs like Direct3D or Vulkan. By manipulating graphics data, an attacker could trigger memory corruption that may crash the browser or execute malicious code. Given the complexity of GPU-based rendering, vulnerabilities in this layer can be difficult to detect and potentially devastating if weaponized.

Other Vulnerabilities Patched

In addition to these high-severity flaws, the update also fixes two medium-severity issues:

• CVE-2025-8881 – Inappropriate Implementation in File Picker (reported by Alesandro Ortiz)
• CVE-2025-8882 – Use After Free in Aura (reported by Umar Farooq)

While less severe, these vulnerabilities could still be exploited in targeted attacks and warrant prompt patching.

Update Recommendations

Users are strongly urged to update to the latest Chrome release immediately. Enabling automatic updates ensures future security fixes are applied as soon as they become available. After updating, restart the browser to fully apply the patches and mitigate the risk of exploitation.

Related Posts:

• libaom Video Codec Library Exposed: Critical CVE-2024-5171 Vulnerability with CVSS 10
• Chrome Update Alert: Two High-Severity Flaws Patched – Update Now to Stay Safe!
• 3.2 Million Users Exposed by Malicious Browser Extensions
• Chrome 137 Released: Fixes High-Severity Use-After-Free & V8 Bugs
• Apple’s AI Race: Is the Tech Giant Falling Behind?