Google has released a critical security update for its Chrome browser across Windows, Mac, and Linux platforms, addressing a severe vulnerability that could allow attackers to execute arbitrary code remotely. Users are strongly advised to update their browsers immediately to safeguard against potential threats.
Details of the Update
The Stable channel has been updated to version 140.0.7339.127/.128 for Windows, 140.0.7339.132/.133 for Mac, and 140.0.7339.127 for Linux. This update is being rolled out progressively and will become available to all users over the coming days and weeks. It follows the initial release of Chrome 140, which also addressed several other security issues.
Addressed Vulnerabilities
The update resolves two major security flaws:
1. CVE-2025-10200: Critical Use-After-Free Vulnerability in ServiceWorker
This vulnerability is rated as critical and is described as a Use-after-free bug in the ServiceWorker component. A use-after-free flaw occurs when a program attempts to use memory after it has been deallocated, which can lead to crashes, data corruption, or, in the worst case, arbitrary code execution. An attacker could exploit this vulnerability by crafting a malicious webpage that, when visited by a user, could allow the attacker to run malicious code on the victim’s system. Security researcher Looben Yang reported this critical flaw on August 22, 2025. In recognition of the severity of the discovery, Google has awarded a bug bounty of $43,000.
2. CVE-2025-10201: High-Severity Inappropriate Implementation in Mojo
The second vulnerability patched in this release is CVE-2025-10201, a high-severity flaw identified as an Inappropriate implementation in Mojo. Mojo is a collection of runtime libraries used for inter-process communication within Chromium, the open-source project that powers Chrome. Flaws in this component can be particularly dangerous as they can potentially compromise the browser’s sandbox, a key security feature that isolates processes to prevent exploits from affecting the underlying system. This vulnerability was reported by Sahan Fernando and an anonymous researcher on August 18, 2025. The reporters were awarded a $30,000 bounty for their findings.
Importance of Immediate Update
Google is rolling out the update gradually, but users can manually check for and apply the update by navigating to Settings > About Google Chrome. The browser will automatically scan for the latest version and prompt the user to relaunch it to complete the update process.
As is standard practice, Google has restricted access to detailed information about the bugs to prevent attackers from developing exploits before a majority of users have installed the patch. This highlights the importance of applying security updates as soon as they become available.
Understanding Use-After-Free Vulnerabilities
A use-after-free vulnerability occurs when a program continues to use a pointer after it has been freed. This can lead to arbitrary code execution, data corruption, or crashes. In the context of web browsers like Chrome, such vulnerabilities can be particularly dangerous as they can be exploited through malicious web content, potentially allowing attackers to execute code on the user’s machine.
The Role of ServiceWorker in Chrome
ServiceWorker is a script that runs in the background of a browser, separate from web pages, opening the door to features that don’t need a web page or user interaction. They enable functionalities like push notifications and background data synchronization. However, vulnerabilities in ServiceWorker can be exploited to execute malicious code, making it a critical component to secure.
Mojo and Its Significance
Mojo is a collection of runtime libraries that facilitate inter-process communication in Chromium. It plays a crucial role in the browser’s architecture by enabling different components to communicate securely and efficiently. An inappropriate implementation in Mojo can lead to security breaches, as it may allow malicious code to bypass the browser’s sandbox, a security mechanism designed to isolate web content from the user’s system.
Bug Bounty Program and Its Impact
Google’s bug bounty program incentivizes security researchers to find and report vulnerabilities in its products. By offering substantial rewards, Google encourages the discovery and responsible disclosure of security flaws, allowing them to be patched before they can be exploited maliciously. The recent bounties awarded for CVE-2025-10200 and CVE-2025-10201 underscore the program’s importance in maintaining the security of Chrome.
Steps to Update Chrome
To ensure your browser is up to date:
1. Open Chrome.
2. Click on the three-dot menu in the upper-right corner.
3. Navigate to Settings.
4. Click on About Google Chrome.
5. Chrome will automatically check for updates and install them.
6. Once the update is installed, click Relaunch to complete the process.
Conclusion
The release of this critical update underscores the importance of keeping software up to date to protect against emerging security threats. Users are urged to apply the update promptly to ensure their systems remain secure.
