Google has officially promoted Chrome 140 to the stable channel, initiating a multi-platform rollout for Windows, Mac, Linux, Android, and iOS.
The update brings the usual stability and performance improvements, but the headline feature is a critical security patch addressing six vulnerabilities, including one high-severity flaw that could allow for remote code execution.
Users are strongly advised to update their browsers immediately to protect against potential exploitation.
The new desktop version is identified as built 140.0.7339.80 for Linux and 140.0.7339.80/81 for Windows and Mac. The update is also being pushed to the Extended Stable channel with build 140.0.7339.81.
Key Takeaways
1. Chrome 140 is now stable on desktop and mobile, including extended-stable build 140.0.7339.81.
2. Six security bugs fixed.
3. GPU rasterization, faster HTTP/3, and CSS Container Queries support.
Mobile users will see updates with the version 140.0.7339.35 on Android and 140.0.7339.95 on iOS. While Google notes the rollout will occur over the coming days and weeks, manually checking for the update is recommended due to the severity of the patched flaws.
The most critical issue resolved in this update is a high-severity vulnerability tracked as CVE-2025-9864. This flaw is described as a “Use after free in V8,” the powerful open-source JavaScript and WebAssembly engine that powers Chrome.
A use-after-free vulnerability occurs when a program continues to use a pointer after the memory it points to has been deallocated.
By manipulating this memory state, a successful attacker could craft a malicious webpage that triggers the bug, potentially leading to a browser crash or, in a worst-case scenario, the execution of arbitrary code on the victim’s system. This vulnerability was reported by Pavel Kuzmin of the Yandex Security Team on July 28, 2025.
In addition to the V8 flaw, Google patched several medium-severity bugs reported by external researchers, including:
- CVE-2025-9865: An inappropriate implementation in the Toolbar.
- CVE-2025-9866: An inappropriate implementation in Extensions.
- CVE-2025-9867: An inappropriate implementation in Downloads.
Google awarded a total of $10,000 in bounties to the external researchers who discovered and reported these vulnerabilities, as stated in the advisory.
| Vulnerability | Description | Severity | Reward |
|---|---|---|---|
| CVE-2025-9864 | Use after free in V8 | High | N/A |
| CVE-2025-9865 | Inappropriate implementation in Toolbar | Medium | $5,000 |
| CVE-2025-9866 | Inappropriate implementation in Extensions | Medium | $4,000 |
| CVE-2025-9867 | Inappropriate implementation in Downloads | Medium | Inappropriate implementation in the Toolbar |
Update Rollout Details
Beyond the fixes contributed by external researchers, this release includes various other security enhancements resulting from Google’s own internal security work.
The company credits its robust internal auditing processes and sophisticated testing tools for catching many bugs before they ever reach the stable channel.
Google’s security teams extensively use automated tools like AddressSanitizer, MemorySanitizer, and UndefinedBehaviorSanitizer, as well as fuzzing technologies like libFuzzer and AFL, to proactively discover and neutralize memory corruption and other security flaws.
As the update for Chrome 140 rolls out globally, Google is restricting access to the specific bug details and links. This standard procedure is designed to prevent threat actors from reverse-engineering the exploits before a majority of users have installed the protective patch.
Users can ensure they are protected by navigating to Chrome’s “About Google Chrome” settings page, which will trigger the automatic download and installation of the latest version.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
