An important security update has been released for the Chrome Stable channel, addressing five vulnerabilities, including three high-severity flaws that could allow attackers to execute arbitrary code. Users on Windows, Mac, and Linux are strongly advised to update their browsers immediately.
The update, version 134.0.6998.88/.89 for Windows and Mac, and 134.0.6998.88 for Linux, is rolling out over the coming days and weeks. However, given the severity of the patched vulnerabilities, particularly the two high-risk type confusion flaws in the V8 JavaScript engine, delaying the update is highly discouraged.
The most concerning aspects of this update are the two high-severity type confusion vulnerabilities, CVE-2025-1920 and CVE-2025-2135, both affecting the V8 JavaScript engine. Type confusion vulnerabilities occur when a program attempts to access an object using an incompatible type, potentially leading to memory corruption and arbitrary code execution.
- CVE-2025-1920, reported by Excello s.r.o., earned a $7000 bounty.
- CVE-2025-2135, reported by Zhenghang Xiao (@Kipreyyy), is also a high-risk flaw.
These vulnerabilities indicate that the V8 engine, a crucial component of Chrome responsible for executing JavaScript, is under active scrutiny by security researchers. The potential for exploitation of these flaws is significant, as attackers could leverage them to inject malicious code into websites, compromising user systems.
Adding to the urgency, a high-severity out-of-bounds write vulnerability, CVE-TBD, has been discovered in the GPU component of Chrome. This flaw, reported on March 5th, could allow attackers to write data beyond the intended memory boundaries, potentially leading to system crashes or remote code execution. The severity of this issue is further amplified by the fact that GPU vulnerabilities can be particularly difficult to detect and mitigate.
The update also patches two medium-severity vulnerabilities:
- CVE-2025-2136, a use-after-free vulnerability in the Inspector, reported by Sakana.S, earning a $3000 bounty. Use-after-free flaws occur when a program attempts to access memory that has already been freed, leading to potential crashes or code execution.
- CVE-2025-2137, an out-of-bounds read vulnerability in V8, reported by zeroxiaobai@, earning a $2000 bounty. Out-of-bounds read vulnerabilities allow attackers to read data beyond the intended memory boundaries, potentially leaking sensitive information.
Given the severity of the patched vulnerabilities, especially the high-risk flaws in the V8 engine and GPU component, users are strongly advised to update their Chrome browsers immediately.
How to Update Chrome:
- Open Google Chrome.
- Click the three vertical dots (menu) in the top-right corner.
- Go to “Help” > “About Google Chrome.”
- Chrome will automatically check for updates and install them.
- Relaunch Chrome to apply the updates.
Related Posts:
- 2 Million Users Exposed by Malicious Browser Extensions
- Google Bug Bounty Program Expands to Chrome V8 and Google Cloud
- Zero-Day Vulnerability: 18 Years of Exploiting the ‘0.0.0.0’ Flaw
- Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
