Google has released Chrome version 142 to the stable channel, addressing multiple critical security vulnerabilities that could allow attackers to execute malicious code on affected systems.
The update, now rolling out to Windows, Mac, and Linux users, contains fixes for 20 security flaws discovered by external researchers and Google’s internal security teams.
Overview of the Vulnerabilities
The Chrome 142 release tackles seven high-severity vulnerabilities, with several affecting the V8 JavaScript engine that powers Chrome’s web rendering capabilities.
| CVE ID | Severity | Vulnerability Type |
| CVE-2025-12428 | High | Type Confusion in V8 |
| CVE-2025-12429 | High | Inappropriate Implementation in V8 |
| CVE-2025-12430 | High | Object Lifecycle Issue in Media |
| CVE-2025-12431 | High | Inappropriate Implementation in Extensions |
| CVE-2025-12432 | High | Race Condition in V8 |
| CVE-2025-12433 | High | Inappropriate Implementation in V8 |
| CVE-2025-12036 | High | Inappropriate Implementation in V8 |
| CVE-2025-12434 | Medium | Race Condition in Storage |
| CVE-2025-12435 | Medium | Incorrect Security UI in Omnibox |
| CVE-2025-12436 | Medium | Policy Bypass in Extensions |
| CVE-2025-12437 | Medium | Use After Free in PageInfo |
| CVE-2025-12438 | Medium | Use After Free in Ozone |
| CVE-2025-12439 | Medium | Inappropriate Implementation in App-Bound Encryption |
| CVE-2025-12441 | Medium | Out of Bounds Read in V8 |
| CVE-2025-12443 | Medium | Out of Bounds Read in WebXR |
| CVE-2025-12440 | Low | Inappropriate Implementation in Autofill |
| CVE-2025-12444 | Low | Incorrect Security UI in Fullscreen UI |
| CVE-2025-12445 | Low | Policy Bypass in Extensions |
| CVE-2025-12446 | Low | Incorrect Security UI in SplitView |
| CVE-2025-12447 | Low | Incorrect Security UI in Omnibox |
Two of the most critical flaws, CVE-2025-12428 and CVE-2025-12429, earned researchers $50,000 bounties each for discovering type confusion and inappropriate implementation issues in V8.
These vulnerabilities could potentially enable attackers to execute arbitrary code by exploiting how Chrome processes JavaScript.
Man Yue Mo from GitHub Security Lab identified the type confusion vulnerability in V8, while researcher Aorui Zhang uncovered the inappropriate implementation flaw.
Additional high-severity issues include an object lifecycle problem in Media components, race conditions in V8, and inappropriate implementation flaws.
Notably, Google’s Big Sleep security initiative contributed several discoveries, demonstrating the effectiveness of automated vulnerability detection systems.
Beyond the critical flaws, Chrome 142 resolves eight medium-severity vulnerabilities affecting various browser components.
These include use-after-free vulnerabilities in PageInfo and Ozone, race conditions in Storage, and out-of-bounds read issues in V8 and WebXR.
Security researchers also identified policy bypass weaknesses in Extensions and incorrect security UI implementations in Omnibox that could mislead users about website authenticity.
The update also patches five low-severity vulnerabilities related to incorrect security UI displays and policy bypass issues in Extensions.
Google awarded security bounties totalling over $140,000 to external researchers who responsibly disclosed these vulnerabilities, reinforcing the company’s commitment to its vulnerability rewards program.
Chrome 142.0.7444.59 for Linux, version 142.0.7444.60 for Windows, and version 142.0.7444.60 for Mac will be automatically deployed to users over the coming days and weeks.
Google continues to restrict access to detailed bug information until most users have received the security patches, thereby preventing potential exploitation of unpatched systems.
Organisations running Chrome in enterprise environments should prioritise testing and deploying this update to maintain a secure posture.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
