Google on Tuesday introduced patches for 3 vulnerabilities in Chrome 137, together with two high-severity points reported by exterior researchers.
The primary of the externally reported bugs is CVE-2025-6191, described as an integer overflow defect within the V8 JavaScript engine. Google says it handed out a $7,000 reward to the reporting researcher.
The second flaw, tracked as CVE-2025-6192, is a use-after-free vulnerability in Chrome’s Profiler part that earned the reporting researcher a $4,000 reward.
The safety defects had been addressed in Chrome variations 137.0.7151.119/.120 for Home windows and macOS, and in model 137.0.7151.119 for Linux.
Reminiscence bugs in Chrome are enticing targets for attackers, as they will probably result in distant code execution, and customers are suggested to replace their browsers as quickly as potential, though Google makes no point out of any of those points being exploited.
Nevertheless, risk actors have been noticed concentrating on current Chrome vulnerabilities within the wild, a few of which had been exploited as zero-days, earlier than being caught by safety researchers.
One instance is CVE-2025-2783, a high-severity sandbox escape flaw flagged by Kaspersky as being exploited in one-click assaults in a cyberespionage marketing campaign concentrating on varied Russian organizations. Firefox was discovered susceptible to an identical defect.
Whereas Kaspersky didn’t attribute the noticed zero-day assaults to a selected risk actor, Constructive Applied sciences this week reported {that a} group tracked as Team46 was behind them.Commercial. Scroll to proceed studying.
The zero-day exploitation, the corporate says, led to the deployment of Trinper, a backdoor related to the TaxOff hacking group, suggesting that Team46 and TaxOff signify a cluster of exercise that may be attributed to a single adversary.
“This group leverages zero-day exploits, which permits it to penetrate safe infrastructures extra successfully. The group additionally creates and makes use of refined malware, implying that it has a long-term technique and intends to take care of persistence on the compromised programs for an prolonged interval,” Constructive Applied sciences notes.
Associated: Chrome, Firefox Updates Resolve Excessive-Severity Reminiscence Bugs
Associated: Google Researchers Discover New Chrome Zero-Day
Associated: Chrome to Mistrust Chunghwa Telecom and Netlock Certificates
Associated: Chrome 137, Firefox 139 Patch Excessive-Severity Vulnerabilities
