Google Chrome has launched a vital safety replace addressing six vulnerabilities that might doubtlessly allow arbitrary code execution on affected techniques.
The steady channel replace to model 139.0.7258.127/.128 for Home windows and Mac, and 139.0.7258.127 for Linux, incorporates patches for a number of high-severity safety flaws that pose important dangers to consumer knowledge and system integrity.
Key Takeaways1. Chrome fixes six vulnerabilities, together with three that allow code execution.2. Impacts V8 engine and graphics – permits malicious code execution.3. Replace Chrome now by way of Settings > About Chrome.
Excessive-Severity Vulnerabilities Addressed
The safety replace targets three high-severity vulnerabilities that might result in arbitrary code execution.
CVE-2025-8879 represents a heap buffer overflow vulnerability within the libaom library, which handles video encoding and decoding operations.
One of these vulnerability permits attackers to jot down knowledge past allotted reminiscence boundaries, doubtlessly overwriting vital system data.
CVE-2025-8880 addresses a race situation in Google’s V8 JavaScript engine, reported by safety researcher Seunghyun Lee.
Race circumstances happen when a number of processes try to entry shared sources concurrently, creating unpredictable habits that attackers can exploit.
The third high-severity flaw, CVE-2025-8901, entails an out-of-bounds write vulnerability in ANGLE (Nearly Native Graphics Layer Engine), which interprets OpenGL ES API calls to hardware-supported APIs.
Chrome’s safety workforce utilized a number of superior detection methodologies to determine these vulnerabilities, together with AddressSanitizer for detecting reminiscence corruption bugs, MemorySanitizer for uninitialized reminiscence reads, and UndefinedBehaviorSanitizer for catching undefined habits in C/C++ code.
The replace additionally incorporates Management Circulation Integrity mechanisms and findings from libFuzzer and AFL (American Fuzzy Lop) testing frameworks.
Medium- Severity Vulnerabilities Addressed
Further medium-severity vulnerabilities had been additionally patched, together with CVE-2025-8881, which addresses inappropriate implementation within the File Picker element, and CVE-2025-8882, a use-after-free vulnerability within the Aura windowing system.
Use-after-free vulnerabilities happen when packages proceed to make use of reminiscence after it has been freed, resulting in potential code execution alternatives.
CVE IDTitleSeverityCVE-2025-8879Heap buffer overflow in libaomHighCVE-2025-8880Race in V8HighCVE-2025-8901Out of bounds write in ANGLEHighCVE-2025-8881Inappropriate implementation in File PickerMediumCVE-2025-8882Use after free in AuraMedium
Mitigations
These vulnerabilities collectively current critical safety dangers, as heap buffer overflows and race circumstances in core browser parts may be exploited to execute malicious code with browser privileges.
The automated rollout will happen over the approaching days and weeks, however customers ought to manually replace Chrome by means of Settings > About Chrome.
System directors ought to prioritize this replace deployment, notably in enterprise environments the place browsers course of delicate knowledge.
The Chrome workforce’s collaboration with exterior safety researchers, together with nameless contributors and Google’s Huge Sleep mission, demonstrates the continuing effort to determine and remediate safety vulnerabilities earlier than they attain steady launch channels.
Increase your SOC and assist your workforce shield what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
