Google has rolled out a critical security update for its Chrome browser, addressing multiple high-severity vulnerabilities that could enable arbitrary code execution and sandbox escapes.
The Stable Channel Update 134.0.6998.88/.89 for Windows and Mac, and 134.0.6998.88 for Linux, released on March 10, 2025, includes patches for five security flaws, three of which are rated as high-risk.
Simultaneously, the Extended Stable Channel—used primarily by enterprises for phased testing—has been updated to 134.0.6998.89 for Windows and Mac, with a gradual rollout planned over the coming weeks.
This update follows a pattern of heightened scrutiny on Chrome’s V8 JavaScript engine and GPU components, both of which remain prime targets for exploitation.
High-Severity Vulnerabilities Patched
The most critical fixes target CVE-2025-1920 and CVE-2025-2135, two types of confusion vulnerabilities in the V8 JavaScript engine.
Type confusion flaws, classified under CWE-843, occur when code initializes a resource as one type but later accesses it as an incompatible type, leading to memory corruption.
In Chrome’s case, this could allow attackers to execute arbitrary code or escape the browser’s security sandbox via a malicious HTML page.
CVE-2025-1920, reported by Excello s.r.o., earned a $7,000 bounty, while CVE-2025-2135, identified by Zhenghang Xiao (@Kipreyyy), underscores ongoing risks in V8’s architecture.
A third high-severity flaw, CVE-TBD, involves an out-of-bounds write in Chrome’s GPU component.
Such vulnerabilities enable attackers to write data beyond allocated memory boundaries, potentially crashing systems or enabling remote code execution.
GPU-related exploits are particularly concerning due to their complexity and the difficulty of detecting malicious activity post-compromise.
Medium-Severity Fixes
The update also addresses CVE-2025-2136, a use-after-free vulnerability in the Inspector component, and CVE-2025-2137, an out-of-bounds read in V8.
Use-after-free flaws arise when a program references deallocated memory, often leading to crashes or code execution, while out-of-bounds reads can expose sensitive data.
These medium-severity issues, reported by Sakana.S ($3000 bounty) and zeroxiaobai@ ($2000 bounty) respectively, highlight persistent memory management challenges in Chrome’s subsystems.
Exploitation Risks and Mitigation
While Google has not confirmed active exploitation of these vulnerabilities, the severity of the patched flaws necessitates immediate action.
Attackers could weaponize these issues through drive-by compromises, where simply visiting a malicious site triggers exploitation.
For instance, a crafted HTML page exploiting CVE-2025-1920 could corrupt heap memory, bypassing Chrome’s sandbox protections to install malware or exfiltrate data.
Although Chrome updates automatically, users must manually restart the browser to activate the latest patches—a step often overlooked.
To ensure protection, navigate to Chrome Settings > About Chrome to trigger an immediate update check. Enterprises managing fleet deployments should prioritize rollout, given the risks of delayed patching.
This update marks the fourth major Chrome security release in 2025, reflecting escalating threats to browser components like V8 and GPU.
The repeated appearance of type confusion flaws suggests that Chrome’s JavaScript engine remains a high-value target for attackers, necessitating continuous scrutiny by Google’s security teams.
Users and administrators are advised to update Chrome to version 134.0.6998.88 or later without delay.
As browser-based attacks grow in sophistication, maintaining rigorous patch discipline remains the most effective defense against evolving threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
