Google rolled out version 141.0.7390.65/.66 for Windows and Mac and 141.0.7390.65 for Linux.
This update fixes three critical security flaws, all of which involve memory handling errors that an attacker could exploit to execute arbitrary code in the context of the browser.
External researchers discovered these issues and reported them through Google’s vulnerability disclosure program. Rewards ranged from $3,000 to $5,000 based on severity and complexity.
Details of the Flaws
The first High-severity flaw, CVE-2025-11458, is a heap buffer overflow in Chrome Sync.
An attacker could craft malicious synchronization data that overflows a memory buffer, potentially allowing the execution of arbitrary code when the browser processes it.
This issue was reported by “raven” at KunLun Lab on September 5, 2025, and earned a $5,000 reward.
| CVE | Impact | Reported by |
| CVE-2025-11458 | High | raven at KunLun Lab |
| CVE-2025-11460 | High | Sombra |
| CVE-2025-11211 | Medium | Jakob Košir |
The second High-severity flaw, CVE-2025-11460, involves a use-after-free in the Storage component. A specially designed script or web page could trigger the error by accessing storage objects that have already been freed, leading to memory corruption.
This vulnerability was disclosed by researcher Sombra on September 23, 2025. Google has not yet determined the public reward amount for this finding. The Medium-severity flaw, CVE-2025-11211, is an out-of-bounds read in WebCodecs.
By supplying malformed input to the media decoding API, an attacker could read beyond allocated memory, potentially corrupting data or setting the stage for further exploitation. Jakob Košir reported this issue on August 29, 2025, and received a $3,000 bounty.
All three vulnerabilities share a common prerequisite: a user must visit or interact with specially crafted web content that triggers the underlying memory error.
No additional privileges are required, making these flaws particularly dangerous if exploited in drive-by download attacks or malicious advertisements.
Users should update to Chrome 141.0.7390.65/.66 immediately to ensure these flaws are patched. Automatic updates are enabled by default, but users can verify by navigating to the “About Google Chrome” section in their browser settings.
Enterprises managing Chrome via group policies or management consoles should deploy the update across all endpoints without delay.
Web developers and administrators should continue following best practices for content security, including using strict Content Security Policy (CSP) headers to limit the execution of untrusted scripts and applying sanitization routines to any user-supplied data.
Security teams may also consider deploying runtime memory safety tools such as AddressSanitizer and Control Flow Integrity to catch similar issues earlier in development cycles.
Google credits its security partners for assisting with detection and prevention. These include AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL.
Continued collaboration between researchers and vendors remains crucial for keeping browsers and web applications secure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
