Google has issued an urgent security update for its Chrome browser, addressing a high-severity vulnerability tracked as CVE-2025-11756. This flaw, which affects Chrome’s Safe Browsing feature, could allow attackers to execute arbitrary code on users’ machines, posing a direct threat to user privacy and system security.
Details of the CVE-2025-11756 Vulnerability
The vulnerability is a use-after-free flaw, an issue that arises when an application continues to use memory after it has been released. This type of memory corruption can lead to unpredictable behavior, including the potential for attackers to inject and execute malicious code.
In the case of CVE-2025-11756, the issue was found within Chrome’s Safe Browsing component. Safe Browsing is designed to shield users from malicious websites and harmful downloads. Because this feature operates with elevated privileges, any flaw within it is particularly critical.
According to Google’s internal security classification, this vulnerability was rated High severity. If successfully exploited, it could allow cybercriminals to gain unauthorized access to a user’s system, potentially enabling them to install malware, exfiltrate data, or compromise user accounts.
Discovery and Bug Bounty Reward
The vulnerability was discovered and responsibly disclosed by a security researcher known by the handle “asnine” on September 25, 2025. For their efforts, the researcher received a $7,000 reward through Google’s bug bounty program, which incentivizes independent security researchers to report security flaws.
Google publicly acknowledged the contribution, stating, “We would also like to thank all security researchers who worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”
Security Update Rollout
In response to the vulnerability, Google released a security patch via Chrome version 141.0.7390.107/.108 for Windows and Mac, and version 141.0.7390.107 for Linux. The update began rolling out on October 14, 2025, and will continue to reach users globally over the following days and weeks.
The official release statement from Google’s Chrome team read:
“The Stable channel has been updated to 141.0.7390.107/.108 for Windows and Mac and 141.0.7390.107 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.”
To minimize risk, Google is restricting access to technical details of the vulnerability until a majority of users have installed the update. This strategy is aligned with their standard disclosure policy and aims to prevent active exploitation by malicious actors during the patch window.
Additionally, if the issue exists in shared third-party libraries used by other projects, disclosure may remain limited until those projects also deploy fixes.
Security Tools and Detection Measures
To detect and mitigate vulnerabilities like CVE-2025-11756, Google relies heavily on advanced security tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL. These tools help identify potential flaws during the development and testing phases.
The fact that the vulnerability affects the Safe Browsing feature adds another layer of concern, as this component is central to Chrome’s protection mechanisms. Users are strongly advised to update their browsers immediately to ensure they are not left vulnerable.
While there are currently no public reports of this vulnerability being exploited in the wild, delays in updating can leave systems open to attack, especially once details about the flaw become more widely known.
