Google has formally promoted Chrome 140 to the secure channel, initiating a multi-platform rollout for Home windows, Mac, Linux, Android, and iOS.
The replace brings the standard stability and efficiency enhancements, however the headline characteristic is a essential safety patch addressing six vulnerabilities, together with one high-severity flaw that might enable for distant code execution.
Customers are strongly suggested to replace their browsers instantly to guard towards potential exploitation.
The brand new desktop model is recognized as constructed 140.0.7339.80 for Linux and 140.0.7339.80/81 for Home windows and Mac. The replace can be being pushed to the Prolonged Secure channel with construct 140.0.7339.81.
Key Takeaways1. Chrome 140 is now secure on desktop and cell, together with extended-stable construct 140.0.7339.81.2. Six safety bugs fastened.3. GPU rasterization, quicker HTTP/3, and CSS Container Queries help.
Cell customers will see updates with the model 140.0.7339.35 on Android and 140.0.7339.95 on iOS. Whereas Google notes the rollout will happen over the approaching days and weeks, manually checking for the replace is advisable because of the severity of the patched flaws.
Essentially the most essential problem resolved on this replace is a high-severity vulnerability tracked as CVE-2025-9864. This flaw is described as a “Use after free in V8,” the highly effective open-source JavaScript and WebAssembly engine that powers Chrome.
A use-after-free vulnerability happens when a program continues to make use of a pointer after the reminiscence it factors to has been deallocated.
By manipulating this reminiscence state, a profitable attacker might craft a malicious webpage that triggers the bug, doubtlessly resulting in a browser crash or, in a worst-case state of affairs, the execution of arbitrary code on the sufferer’s system. This vulnerability was reported by Pavel Kuzmin of the Yandex Safety Workforce on July 28, 2025.
Along with the V8 flaw, Google patched a number of medium-severity bugs reported by exterior researchers, together with:
CVE-2025-9865: An inappropriate implementation within the Toolbar.
CVE-2025-9866: An inappropriate implementation in Extensions.
CVE-2025-9867: An inappropriate implementation in Downloads.
Google awarded a complete of $10,000 in bounties to the exterior researchers who found and reported these vulnerabilities, as said within the advisory.
VulnerabilityDescriptionSeverityRewardCVE-2025-9864Use after free in V8HighN/ACVE-2025-9865Inappropriate implementation in ToolbarMedium$5,000CVE-2025-9866Inappropriate implementation in ExtensionsMedium$4,000CVE-2025-9867Inappropriate implementation in DownloadsMediumInappropriate implementation within the Toolbar
Replace Rollout Particulars
Past the fixes contributed by exterior researchers, this launch contains varied different safety enhancements ensuing from Google’s personal inside safety work.
The corporate credit its sturdy inside auditing processes and complex testing instruments for catching many bugs earlier than they ever attain the secure channel.
Google’s safety groups extensively use automated instruments like AddressSanitizer, MemorySanitizer, and UndefinedBehaviorSanitizer, in addition to fuzzing applied sciences like libFuzzer and AFL, to proactively uncover and neutralize reminiscence corruption and different safety flaws.
Because the replace for Chrome 140 rolls out globally, Google is limiting entry to the precise bug particulars and hyperlinks. This customary process is designed to stop risk actors from reverse-engineering the exploits earlier than a majority of customers have put in the protecting patch.
Customers can guarantee they’re protected by navigating to Chrome’s “About Google Chrome” settings web page, which is able to set off the automated obtain and set up of the most recent model.
Discover this Story Fascinating! Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
