Google has issued an pressing safety replace for its Chrome net browser to deal with three high-severity vulnerabilities that would enable attackers to entry delicate info or trigger the system to crash.
The corporate is advising customers to replace their browsers instantly to mitigate the potential dangers related to these flaws.
The most recent patch brings the Chrome Steady channel to model 140.0.7339.207/.208 for Home windows and Mac, and 140.0.7339.207 for Linux. The replace will probably be distributed robotically over the approaching days and weeks, however customers can manually set off the replace to make sure they’re protected directly.
All three high-severity vulnerabilities found reside inside the V8 JavaScript and WebAssembly engine, a core element of Chrome that’s accountable for executing program code.
The primary flaw, tracked as CVE-2025-10890, is a side-channel info leakage vulnerability. This kind of weak spot might doubtlessly enable a distant attacker who has satisfied a person to go to a malicious web site to learn delicate information from the browser’s reminiscence, bypassing safety measures designed to maintain info remoted. Exterior safety researcher Mate Marjanović reported this vulnerability.
The opposite two vulnerabilities, CVE-2025-10891 and CVE-2025-10892, are each described as integer overflows inside the V8 engine.
These had been found internally by Google’s Huge Sleep analysis staff. An integer overflow is a standard software program bug that happens when a numerical worth is just too giant for the reminiscence area allotted to it, inflicting it to “wrap round” and end in sudden conduct.
In a browser context, attackers can usually exploit such flaws to trigger a denial-of-service situation by crashing the renderer course of or to execute arbitrary code on the affected system.
Attackers Might Exploit the Vulnerabilities
A profitable exploit of those vulnerabilities would usually require an attacker to lure a sufferer into visiting a specifically crafted, malicious webpage.
For CVE-2025-10890, the malicious code on the web page might set off the side-channel flaw, permitting the attacker to deduce information from different web sites or processes working on the person’s machine.
The 2 integer overflow flaws, if exploited, might result in abrupt browser crashes. Whereas Google’s advisory doesn’t affirm it, integer overflows can typically be chained with different exploits to realize full management over a compromised system, making them a severe menace.
In keeping with its commonplace safety coverage, Google is at the moment limiting entry to the technical particulars and proof-of-concept exploits for these bugs.
This measure is meant to stop widespread assaults by giving the vast majority of customers ample time to put in the safety patch. The restrictions will probably be lifted as soon as the replace has been broadly deployed.
Google strongly recommends that every one Chrome customers guarantee their browser is up to date to the most recent model to defend in opposition to potential exploitation.
To test for and set up the replace, customers can navigate to the Chrome menu, choose “Assist,” after which click on on “About Google Chrome.” The browser will robotically scan for the most recent model and immediate the person to relaunch to finish the set up.
Google additionally prolonged its gratitude to the safety researchers who contributed to figuring out and reporting these vulnerabilities, highlighting the collaborative effort required to take care of browser safety.
The corporate famous that a lot of its safety bugs are detected utilizing superior testing instruments like AddressSanitizer, MemorySanitizer, and varied fuzzing libraries, which assist determine and repair flaws earlier than they will attain the steady channel.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
