Google has officially released Chrome 143 to the Stable channel, introducing version 143.0.7499.40 for Linux and 143.0.7499.40/41 for Windows and Mac users. This update addresses 13 security vulnerabilities, including several high-severity flaws that could allow attackers to execute arbitrary code or compromise the browser’s rendering engine.
Key Vulnerabilities Addressed in Chrome 143
The most critical vulnerability patched in this release is CVE-2025-13630, a Type Confusion flaw in the V8 JavaScript engine. Discovered by security researcher Shreyas Penkar, this vulnerability earned an $11,000 bounty. Type confusion vulnerabilities occur when a program allocates a resource using one type but accesses it using a different, incompatible type. In the context of a browser, exploiting such a flaw can allow a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a specially crafted website.
Another significant high-severity issue is CVE-2025-13631, an inappropriate implementation flaw in the Google Updater service. Reported by researcher Jota Domingos, this vulnerability was awarded a $3,000 reward. While specific exploitation details remain restricted to prevent abuse, vulnerabilities in update mechanisms can sometimes be leveraged to establish persistence or elevate privileges on a host system.
The update also addresses CVE-2025-13632, a high-severity issue in DevTools reported by Leandro Teles, and CVE-2025-13633, a Use After Free (UAF) memory corruption bug in Digital Credentials discovered internally by Google. UAF bugs are a common class of memory-safety errors in Chrome, occurring when the browser attempts to use freed memory, leading to crashes or potential code execution.
Summary of Key External Security Contributions in Chrome 143
| CVE ID | Severity | Vulnerability Type | Component | Reward |
|——————|———-|——————————|——————|———|
| CVE-2025-13630 | High | Type Confusion | V8 | $11,000 |
| CVE-2025-13631 | High | Inappropriate Implementation | Google Updater | $3,000 |
| CVE-2025-13632 | High | Inappropriate Implementation | DevTools | TBD |
| CVE-2025-13634 | Medium | Inappropriate Implementation | Downloads | TBD |
| CVE-2025-13635 | Low | Inappropriate Implementation | Downloads | $3,000 |
| CVE-2025-13636 | Low | Inappropriate Implementation | Split View | $1,000 |
Internal Security Enhancements
Beyond the externally reported vulnerabilities, Google’s internal security team identified several other issues, including a medium-severity race condition in V8 (CVE-2025-13721) and a bad cast in the Loader component (CVE-2025-13720). The Chrome team utilized automated testing tools such as AddressSanitizer and libFuzzer to detect these memory variances during the development cycle.
Update Deployment and User Guidance
Google has restricted access to the full bug details until a majority of the user base has updated to the patched version. This standard operating procedure minimizes the risk of threat actors reverse-engineering the patch to develop exploits for unpatched browsers.
Users on Windows, Mac, and Linux should expect the update to install automatically over the coming days. To manually check for updates, navigate to the Chrome menu, select Help, and click About Google Chrome to initiate the download of version 143.
Conclusion
The release of Chrome 143 underscores Google’s commitment to maintaining a secure browsing environment by promptly addressing vulnerabilities. Users are strongly encouraged to update their browsers to the latest version to benefit from these critical security fixes and ensure optimal protection against potential threats.
