Google has launched an pressing safety replace for its Chrome browser, addressing three essential vulnerabilities that might allow attackers to execute arbitrary code on customers’ programs.
The Secure channel replace to model 138.0.7204.168/.169 for Home windows and Mac, and 138.0.7204.168 for Linux, is presently rolling out to customers worldwide over the approaching days and weeks.
Essentially the most regarding points are two high-severity sort confusion vulnerabilities in Chrome’s V8 JavaScript engine, each found and reported by safety researcher Shaheen Fazim on July 9, 2025. These flaws, tracked as CVE-2025-8010 and CVE-2025-8011, symbolize vital threats to browser safety.
CVE-2025-8010 has been assigned a considerable $8,000 bug bounty reward, indicating its severity and potential influence. The second vulnerability, CVE-2025-8011, remains to be pending its reward willpower however carries equally critical implications for consumer security.
Kind Confusion Assaults
Kind confusion vulnerabilities happen when software program accesses assets utilizing incorrect knowledge varieties, resulting in surprising conduct and potential safety breaches.
Within the context of Chrome’s V8 JavaScript engine, these flaws could be significantly harmful as they permit attackers to control reminiscence allocations and probably execute arbitrary code by specifically crafted net pages.
“Kind confusion, typically mixed with use-after-free, is the principle assault vector to compromise trendy C++ software program like browsers,” in response to cybersecurity researchers.
These vulnerabilities can result in heap corruption, reminiscence corruption, and finally arbitrary code execution when efficiently exploited.
This replace comes amid a regarding development of accelerating browser-based safety threats. Safety consultants report that vulnerabilities in 2024 rose by 61% in comparison with 2023, with practically 50,000 vulnerabilities forecasted for 2025.
Chrome’s V8 engine has develop into a very enticing goal for cybercriminals, with Google providing enhanced bug bounty rewards of as much as $20,000 for high-quality V8 vulnerability experiences.
The V8 JavaScript engine, which powers not solely Chrome but additionally different Chromium-based browsers like Microsoft Edge and Courageous, processes billions of net interactions each day, making these vulnerabilities particularly essential.
When exploited, these flaws may enable attackers to bypass Chrome’s safety sandbox and acquire entry to the underlying working system.
Safety researchers emphasize that customers ought to replace their browsers instantly. Trendy sort confusion assaults could be triggered just by visiting a malicious web site, requiring no further consumer interplay.
The assault usually begins with attackers crafting malicious HTML pages containing specifically designed JavaScript code that exploits these V8 engine vulnerabilities.
Google’s safety workforce has additionally acknowledged the work of varied inside safety initiatives, together with AddressSanitizer, MemorySanitizer, and fuzzing methods that assist determine such vulnerabilities earlier than they attain manufacturing.
Nonetheless, the invention of those high-severity points by exterior researchers demonstrates the continuing challenges in securing complicated browser engines.
Chrome customers ought to confirm their browser model by navigating to Settings > About Chrome and permitting any pending updates to put in routinely.
Given the severity of those vulnerabilities and their potential for exploitation in drive-by assaults, instant patching is strongly really helpful.
Increase detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
