Google has issued an urgent security update for its Chrome browser, addressing three critical vulnerabilities that could allow attackers to execute arbitrary code on users’ systems. The Stable channel has been updated to version 138.0.7204.168/.169 for Windows and Mac, and 138.0.7204.168 for Linux. This update is being rolled out to users worldwide over the coming days and weeks.
Among the addressed issues are two high-severity type confusion vulnerabilities in Chrome’s V8 JavaScript engine, both discovered and reported by security researcher Shaheen Fazim on July 9, 2025. These flaws, identified as CVE-2025-8010 and CVE-2025-8011, pose significant threats to browser security.
CVE-2025-8010 has been assigned a notable $8,000 bug bounty reward, reflecting its severity and potential impact. The second vulnerability, CVE-2025-8011, is still pending its reward determination but carries equally serious implications for user safety.
Understanding Type Confusion Vulnerabilities
Type confusion vulnerabilities occur when software accesses resources using incorrect data types, leading to unexpected behavior and potential security breaches. In the context of Chrome’s V8 JavaScript engine, these flaws can be particularly dangerous as they allow attackers to manipulate memory allocations and potentially execute arbitrary code through specially crafted web pages.
According to cybersecurity researchers, Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers. These vulnerabilities can lead to heap corruption, memory corruption, and ultimately arbitrary code execution when successfully exploited.
The Rising Threat Landscape
This update comes amid a concerning trend of increasing browser-based security threats. Security experts report that vulnerabilities in 2024 rose by 61% compared to 2023, with nearly 50,000 vulnerabilities forecasted for 2025. Chrome’s V8 engine has become a particularly attractive target for cybercriminals, with Google offering enhanced bug bounty rewards of up to $20,000 for high-quality V8 vulnerability reports.
The V8 JavaScript engine, which powers not only Chrome but also other Chromium-based browsers like Microsoft Edge and Brave, processes billions of web interactions daily, making these vulnerabilities especially critical. When exploited, these flaws could allow attackers to bypass Chrome’s security sandbox and gain access to the underlying operating system.
Immediate Action Required
Security researchers emphasize that users should update their browsers immediately. Modern type confusion attacks can be triggered simply by visiting a malicious website, requiring no additional user interaction. The attack typically begins with attackers crafting malicious HTML pages containing specially designed JavaScript code that exploits these V8 engine vulnerabilities.
Google’s security team has also acknowledged the work of various internal security initiatives, including AddressSanitizer, MemorySanitizer, and fuzzing techniques that help identify such vulnerabilities before they reach production. However, the discovery of these high-severity issues by external researchers demonstrates the ongoing challenges in securing complex browser engines.
Chrome users should verify their browser version by navigating to Settings > About Chrome and allowing any pending updates to install automatically. Given the severity of these vulnerabilities and their potential for exploitation in drive-by attacks, immediate patching is strongly recommended.
