On May 27, 2025, Google announced the release of Chrome 137, marking a significant advancement in browser security and artificial intelligence integration. This update is being rolled out globally over the coming days and weeks for Windows, Mac, and Linux platforms.
Security Enhancements in Chrome 137
Chrome 137.0.7151.55 for Linux and 137.0.7151.55/56 for Windows and Mac addresses 11 vulnerabilities identified by both external researchers and internal security teams. Among these, two high-severity issues stand out:
– CVE-2025-5063: A use-after-free vulnerability in the Compositing component, reported by an anonymous researcher on April 18, 2025. This flaw could potentially allow attackers to execute arbitrary code by exploiting memory that has been freed but not properly cleared.
– CVE-2025-5280: An out-of-bounds write issue in the V8 JavaScript engine, discovered by security researcher pwn2car on May 12, 2025. This vulnerability could lead to memory corruption, enabling remote code execution.
In addition to these high-severity vulnerabilities, Chrome 137 addresses several medium and low-severity issues, including:
– CVE-2025-5064: An inappropriate implementation in the Background Fetch API, reported by Maurice Dauer. This flaw could lead to cross-origin data leakage through improper handling of background fetch operations.
– CVE-2025-5065: A FileSystemAccess API issue identified by NDevTK, which could allow UI spoofing attacks enabling malicious file operations through crafted dialog manipulation.
– CVE-2025-5066: A messaging implementation flaw reported by Mohit Raj, affecting Android Chrome users by enabling UI gesture-based spoofing vulnerabilities.
Google has a comprehensive bug bounty program to encourage the discovery and reporting of such vulnerabilities. Notable rewards include $4,000 for Maurice Dauer’s discovery, $2,000 for NDevTK’s findings, and $1,000 for Mohit Raj’s identification of messaging vulnerabilities.
Integration of AI-Powered Security Features
A groundbreaking feature in Chrome 137 is the integration of Google’s Gemini Nano large language model, providing on-device artificial intelligence capabilities to combat sophisticated cyber threats. This AI-powered system operates entirely on users’ devices, ensuring privacy while analyzing webpage content in real-time. When Chrome detects characteristic scam triggers, such as misuse of keyboard-lock APIs, Gemini Nano evaluates the page’s intent by processing text, layout, and behavioral cues. This approach enables Chrome to detect deceptive patterns and generate security signals for Google’s Safe Browsing service, providing protection against threats that typically exist for fewer than 10 minutes on average.
Recommendations for Users
Given the critical nature of the vulnerabilities addressed in this release, users are strongly encouraged to update their browsers immediately. Failure to do so could leave systems exposed to potential attacks that exploit these flaws.
To update Chrome:
1. Open Chrome.
2. Click on the three-dot menu in the top-right corner.
3. Navigate to “Help” > “About Google Chrome.”
4. The browser will automatically check for updates and install them if available.
5. Restart Chrome to complete the process.
The Chrome team continues its commitment to user security through proactive measures such as internal audits and collaboration with external researchers. Future updates will bring not only enhanced features but also further refinements in security.
