Google and Mozilla on Tuesday introduced the discharge of Chrome 137 and Firefox 139, with patches for a complete of 21 vulnerabilities between the 2 browsers, together with three rated excessive severity.
Chrome 137 brings 11 safety fixes, eight of which cowl safety defects reported by exterior researchers.
Of the eight externally reported bugs, two are high-severity reminiscence issues of safety, particularly a use-after-free defect in Compositing (CVE-2025-5063) and an out-of-bounds write flaw within the V8 JavaScript engine (CVE-2025-5280).
Whereas Google didn’t present technical particulars on the vulnerabilities, the exploitation of reminiscence security bugs may permit attackers to execute arbitrary code or crash the appliance. Mixed with flaws within the underlying system or a privileged course of, use-after-free points in Chrome can result in sandbox escape.
The newest Chrome replace additionally resolves 5 medium-severity safety defects within the Background Fetch API, FileSystemAccess API, Messages, BFCache, and libvpx, and one low-severity flaw in Tab Strip.
Google says it handed out $7,500 in bug bounty rewards to the reporting researchers, however it has but to find out the quantities to be paid for the high-severity vulnerabilities and two medium-severity bugs, so the ultimate quantity may very well be a lot increased.
The newest Chrome iteration is now rolling out as variations 137.0.7151.55/56 for Home windows and macOS and as model 137.0.7151.55 for Linux.
Firefox 139 was launched with patches for 10 vulnerabilities, together with a high-severity double-free challenge in libvpx (with no CVE identifier assigned) that would have led to reminiscence corruption and a doubtlessly exploitable crash.Commercial. Scroll to proceed studying.
Moreover, the browser replace resolves six medium-severity bugs resulting in cross-origin leak assaults, native code execution, cross-site leaks (XS-Leaks), and reminiscence corruption (that would have been exploited for arbitrary code execution).
On Tuesday, Mozilla additionally delivered Firefox ESR 128.11 with patches for eight of those vulnerabilities, and Firefox ESR 115.24 with fixes for 4 of them. Thunderbird 139 was rolled out with fixes for all 10 safety defects, whereas Thunderbird 128.11 got here out with patches for eight of the failings.
Whereas Google and Mozilla make no point out of any of those vulnerabilities being exploited within the wild, customers are suggested to replace their browsers as quickly as potential, as it’s not unusual for risk actors to focus on Chrome and Firefox bugs.
Associated: Chrome 136 Replace Patches Vulnerability With ‘Exploit within the Wild’
Associated: Chrome 136, Firefox 138 Patch Excessive-Severity Vulnerabilities
Associated: Chrome 135, Firefox 137 Updates Patch Extreme Vulnerabilities
