Google has officially promoted Chrome 143 to the Stable channel, rolling out version 143.0.7499.40 for Linux and 143.0.7499.40/41 for Windows and Mac.
This significant update addresses 13 security vulnerabilities, including several high-severity flaws that could allow attackers to execute arbitrary code or compromise the browser’s rendering engine.
The most critical vulnerability addressed in this release is CVE-2025-13630, a Type Confusion vulnerability in the V8 JavaScript engine. Reported by security researcher Shreyas Penkar, this flaw earned a bounty of $11,000.
Type confusion vulnerabilities are particularly dangerous because they occur when the program allocates a resource using one type but subsequently accesses it using a different, incompatible type.
In a browser context, successful exploitation of a V8 type confusion bug often allows a remote attacker to execute arbitrary code inside the renderer sandbox by tricking the user into visiting a specially crafted website.
Another notable high-severity issue is CVE-2025-13631, an inappropriate implementation flaw in the Google Updater service. This vulnerability was reported by researcher Jota Domingos and carried a $3,000 reward.
While specific details regarding the exploitation vector remain restricted to prevent widespread abuse, vulnerabilities in update mechanisms can sometimes be leveraged to establish persistence or elevate privileges on a host system.
The update also resolves CVE-2025-13632, a high-severity issue in DevTools reported by Leandro Teles, and CVE-2025-13633, a “Use After Free” (UAF) memory corruption bug in Digital Credentials discovered internally by Google.
UAF bugs remain a typical class of memory-safety errors in Chrome, often occurring when the browser attempts to use freed memory, leading to crashes or potential code execution.
Google has restricted access to the full bug details until a majority of the user base has updated to the patched version. This standard operating procedure minimizes the risk of threat actors reverse-engineering the patch to develop exploits for unpatched browsers.
The following table summarizes the key external security contributions resolved in Chrome 143:
| CVE ID | Severity | Vulnerability Type | Component | Reward |
|---|---|---|---|---|
| CVE-2025-13630 | High | Type Confusion | V8 | $11,000 |
| CVE-2025-13631 | High | Inappropriate Implementation | Google Updater | $3,000 |
| CVE-2025-13632 | High | Inappropriate Implementation | DevTools | TBD |
| CVE-2025-13634 | Medium | Inappropriate Implementation | Downloads | TBD |
| CVE-2025-13635 | Low | Inappropriate Implementation | Downloads | $3,000 |
| CVE-2025-13636 | Low | Inappropriate Implementation | Split View | $1,000 |
Beyond the external reports, Google’s internal security team identified several other issues, including a medium-severity race condition in V8 (CVE-2025-13721) and a bad cast in the Loader component (CVE-2025-13720)
The Chrome team utilized automated testing tools such as AddressSanitizer and libFuzzer to detect these memory variances during the development cycle.
Users on Windows, Mac, and Linux should look for the update to install automatically over the coming days. Manual checks can be performed by navigating to the Chrome menu, selecting Help, and clicking About Google Chrome to force the download of version 143.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
