Google has released Chrome version 141.0.7390.65/.66 for Windows and Mac, along with 141.0.7390.65 for Linux, addressing multiple critical security vulnerabilities that could allow attackers to execute arbitrary code on affected systems.
The update, announced on October 7, 2025, includes three significant security fixes that pose serious risks to users worldwide.
Heap Buffer Overflow and Memory Corruption Flaws
The most severe vulnerability in this release is CVE-2025-11458, a heap buffer overflow in Chrome’s Sync component that has been assigned a High severity rating.
Discovered by security researcher Raven at KunLun lab on September 5, 2025, this flaw earned a $5,000 bounty reward from Google’s Vulnerability Reward Program.
Heap buffer overflows occur when a program writes data beyond the allocated memory buffer boundaries, potentially allowing attackers to corrupt adjacent memory regions and execute arbitrary code.
The second critical vulnerability, CVE-2025-11460, represents a Use-After-Free condition in Chrome’s Storage component.
Reported by researcher Sombra on September 23, 2025, this High-severity flaw occurs when the browser attempts to access memory that has already been freed, creating opportunities for attackers to manipulate memory allocation and achieve code execution.
Use-after-free vulnerabilities are particularly dangerous as they can lead to complete system compromise when successfully exploited.
Additionally, CVE-2025-11211 addresses an out-of-bounds read vulnerability in WebCodecs, reported by Jakob Košir on August 29, 2025.
This Medium-severity flaw, which earned a $3,000 reward, allows attackers to read memory outside allocated boundaries, potentially exposing sensitive information or facilitating further exploitation chains.
| CVE | Title | Severity |
| CVE-2025-11458 | Heap buffer overflow in Sync | High |
| CVE-2025-11460 | Use after free in Storage | High |
| CVE-2025-11211 | Out of bounds read in WebCodecs | Medium |
Mitigations
Google’s security team employed multiple advanced detection methodologies to identify these vulnerabilities, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL fuzzing techniques.
These automated security testing tools continuously analyze Chrome’s codebase for memory corruption issues, race conditions, and other security-critical bugs before they reach production environments.
The Chrome development team has implemented comprehensive mitigations within the browser’s architecture, including sandboxing mechanisms that isolate rendering processes and limit the potential impact of successful exploits.
However, users must install the security update promptly, as Google restricts access to detailed vulnerability information until the majority of users have updated their browsers to prevent widespread exploitation of these critical flaws.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
