Chrome Vulnerabilities Let Attackers Execute Malicious Code Remotely

Google has released an urgent security update for Chrome after discovering multiple high-severity vulnerabilities that could allow attackers to execute malicious code remotely on users’ systems. 

The most critical flaw, a “Use after free” vulnerability in the browser’s Compositing system, poses significant risks to users who have not yet updated their browsers. 

Security researchers warn that these flaws could be exploited to gain control of affected systems, potentially leading to data theft, installation of malware, or further system compromise. 

Users are strongly advised to update their Chrome installations immediately to version 137.0.7151.40/.41 for Windows and Mac.

High-Severity Security Flaw Discovered in Chrome Browser

On Wednesday, May 21, 2025, Google released an early stable update to address eight security vulnerabilities in the Chrome browser. 

The update was initially rolled out to a small percentage of users as part of Google’s phased deployment strategy, but given the severity of the flaws, security experts recommend that all users update immediately. 

The most critical issue, CVE-2025-5063, is a “Use after free” vulnerability in the Compositing system, which handles how Chrome renders visual elements on web pages.

Google’s security team assigned the issue a “high” severity rating, indicating its potential for significant harm if exploited.

This vulnerability could potentially allow attackers to execute malicious code remotely by tricking users into visiting specially crafted websites.

Use-after-free vulnerabilities are particularly dangerous as they involve manipulating memory after it has been freed, potentially allowing attackers to execute arbitrary code. 

Google’s push of an early stable release indicates the urgency of this security patch, as the company typically reserves such actions for critical security issues that may be actively exploited in the wild.

Medium and Low Severity Vulnerabilities

Additional vulnerabilities fixed in this update include:

CVE-2025-5064: Maurice Dauer reported a medium-severity inappropriate implementation in Background Fetch, allowing attackers to bypass security checks for background downloads. This flaw could enable malicious actors to manipulate download processes or abuse browser APIs, risking data integrity. Google awarded a $4,000 bounty for this reported issue.

CVE-2025-5065: This medium-severity flaw in the FileSystemAccess API stemmed from improper permission controls, reported by NDevTK in 2022, earning a $2000 reward. Exploiting it could let malicious websites access or modify local files without user consent.

CVE-2025-5066: Discovered by Mohit Raj (shadow2639), this medium-severity issue in Chrome’s Messages component involved flawed policy enforcement. It could allow attackers to intercept or manipulate browser-to-user communications, potentially leading to data leaks. A $1,000 bounty was issued for this 2024-reported vulnerability.

CVE-2025-5067: A low-severity inappropriate implementation in the Tab Strip UI, reported by Khalil Zhani in 2023, risked phishing attacks via tab spoofing. 

Though less critical, it highlighted UI-level vulnerabilities that could mislead users. Google awarded $500 for this finding.

The security bulletin noted that “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” suggesting Google is taking precautions to prevent widespread exploitation of these vulnerabilities.

How to Update Your Chrome Browser

Updating Chrome is a straightforward process that provides immediate protection against these security threats. To update Chrome:

• Click the three-dot menu in the upper-right corner of Chrome.
• Navigate to Help > About Google Chrome.
• Chrome will automatically check for and install any available updates.
• Verify your Chrome version is 137.0.7151.40 or 137.0.7151.41 (for Windows and Mac).
• Restart the browser to complete the update process.

Security experts recommend enabling automatic updates for browsers and all software to ensure timely protection against newly discovered vulnerabilities. 

Additionally, users should be cautious when visiting unfamiliar websites and avoid clicking on suspicious links or downloading files from untrusted sources.

Google’s security team and external researchers who reported these vulnerabilities through the Chrome Vulnerability Reward Program continue to monitor for potential exploits.

Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free