Chrome 137 and Firefox 139 updates launched on Tuesday resolve 4 high-severity reminiscence bugs, two in every standard browser.
The Chrome replace patches a use-after-free subject in Media (tracked as CVE-2025-5958) and a kind confusion within the V8 JavaScript engine (CVE-2025-5959), each reported by exterior researchers.
Use-after-free vulnerabilities may be exploited for code execution, information corruption and denial of service. In Chrome, they’ll result in sandbox escape, if mixed with safety defects in a privileged a part of the browser, or within the underlying working system.
Kind confusion points in Chrome’s V8 engine may result in data leaks, distant code execution (RCE), and system compromise. Google sometimes pays $55,000 for V8 flaws resulting in RCE, however has but to find out the quantity to be paid for CVE-2025-5959.
Nevertheless, the web big says it handed out $8,000 to the Ant Group Gentle-12 months Safety Lab researcher who reported the use-after-free vulnerability.
The most recent Chrome iteration is now rolling out as variations 137.0.7151.103/.104 for Home windows and macOS, and as model 137.0.7151.103 for Linux.
On Tuesday, Mozilla introduced the discharge of Firefox 139.0.4 with patches for a reminiscence corruption flaw within the canvas surfaces part (tracked as CVE-2025-49709) and an integer overflow bug in OrderedHashTable utilized by the JavaScript engine (CVE-2025-49710).
Mozilla additionally pushed recent updates for Thunderbird to repair a high-severity safety defect that might result in unsolicited file downloads, leading to customers’ disks being stuffed with rubbish information on Linux, or to a credential leak by way of SMB hyperlinks on Home windows.Commercial. Scroll to proceed studying.
“A crafted HTML electronic mail utilizing mailbox:/// hyperlinks can set off automated, unsolicited downloads of .pdf information to the consumer’s desktop or house listing with out prompting, even when auto-saving is disabled,” Mozilla explains.
“Whereas consumer interplay is required to obtain the .pdf file, visible obfuscation can conceal the obtain set off. Viewing the e-mail in HTML mode is sufficient to load exterior content material,” it continues.
Tracked as CVE-2025-5986, the difficulty was resolved in Thunderbird 139.0.2 and Thunderbird 128.11.1.
Customers are suggested to replace their browsers and mail purchasers as quickly as attainable, even when Google and Mozilla make no point out of any of those vulnerabilities being exploited in assaults.
Associated: Google Researchers Discover New Chrome Zero-Day
Associated: Chrome to Mistrust Chunghwa Telecom and Netlock Certificates
Associated: Chrome 137, Firefox 139 Patch Excessive-Severity Vulnerabilities
