Google has rolled out an urgent security patch for its Chrome browser, addressing five vulnerabilities that could enable attackers to execute malicious code remotely.
The update, version 142.0.7444.134/.135 for Windows, 142.0.7444.135 for macOS, and 142.0.7444.134 for Linux, targets critical flaws in core components like WebGPU and the V8 JavaScript engine.
The patch arrives amid heightened scrutiny of browser security, as WebGPU, a modern API for GPU-accelerated web applications, has become a prime target for sophisticated exploits.
Remote code execution vulnerabilities in such components could allow malicious websites to hijack user systems without any interaction beyond visiting a compromised page.
Google emphasized that the fixes were developed in collaboration with external researchers, preventing these issues from reaching a wider audience. The update will propagate gradually over the coming days and weeks to ensure stability across millions of devices worldwide.
Key Vulnerabilities Patched in Chrome 142
Among the five security fixes, three stand out for their high severity, including the out-of-bounds write in WebGPU and inappropriate implementations in V8 and Views.
These flaws, if unpatched, could lead to memory corruption, enabling attackers to run arbitrary code, steal sensitive data, or install malware. The remaining two medium-severity issues affect the Omnibox address bar, potentially exposing users to phishing or injection risks.
For a detailed breakdown, the following table summarizes the CVEs, their severity, affected components, and technical details based on Google’s disclosures:
| CVE ID | Severity | Affected Component | Description and Impact | CVSS v3.1 Score (Estimated) | Reported By | Date Reported |
|---|---|---|---|---|---|---|
| CVE-2025-12725 | High | WebGPU | Out-of-bounds write flaw allowing memory corruption and remote code execution via malicious web content. Affects rendering of GPU-accelerated graphics in web apps. | 8.8 (High) | Anonymous | 2025-09-09 |
| CVE-2025-12726 | High | Views | Inappropriate implementation leading to UI manipulation and potential remote code execution through crafted web pages. Impacts browser’s visual rendering engine. | 8.1 (High) | Alesandro Ortiz | 2025-09-25 |
| CVE-2025-12727 | High | V8 | Inappropriate implementation in JavaScript engine enabling heap corruption and remote code execution. Exploitable via specially crafted scripts on websites. | 8.8 (High) | 303f06e3 | 2025-10-23 |
| CVE-2025-12728 | Medium | Omnibox | Inappropriate implementation allowing address bar spoofing, which could facilitate phishing attacks. No direct code execution but aids social engineering. | 6.5 (Medium) | Hafiizh | 2025-10-16 |
| CVE-2025-12729 | Medium | Omnibox | Similar implementation flaw in address bar, enabling URL manipulation for deceptive user interfaces. | 6.1 (Medium) | Khalil Zhani | 2025-10-23 |
These estimates for CVSS scores align with typical ratings for similar browser flaws, emphasizing the urgency of the high-severity issues. Google has restricted full bug details until most users update, a standard practice to limit exploit development.
This update highlights the vulnerabilities inherent in modern web standards like WebGPU, which promise enhanced performance for gaming and AI applications but introduce new attack surfaces.
V8, powering Chrome’s JavaScript execution, remains a frequent target due to its ubiquity across web ecosystems. Security tools such as AddressSanitizer and libFuzzer played a crucial role in detecting these bugs during development, showcasing proactive measures in Chromium’s pipeline.
Users should immediately check for updates via Chrome’s settings menu under “About Chrome” to apply the patch. Enterprises relying on Chrome for corporate environments are advised to enforce auto-updates and monitor for signs of exploitation, such as unusual browser crashes or network anomalies.
As cyber threats evolve, this incident serves as a reminder of the importance of timely patching in safeguarding digital lives.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
