Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.
Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.
These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise.
That’s why it’s important to install these patches promptly. Staying unpatched means you could be open to an attack just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting to apply security patches, because updates often fix exactly this kind of risk.
How to update
The Chrome update brings the version number to 142.0.7444.59/.60 for Windows, 142.0.7444.60 for MacOS and 142.0.7444.59 for Linux. So, if your Chrome is on the version number 142.0.7444.59 or later, it’s protected from these vulnerabilities.
The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.
To update manually, click the “More” menu (three stacked dots), then choose Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then relaunch Chrome to complete the update, and you’ll be protected against these vulnerabilities.
You can find more detailed update instructions and how to read the version number in our article on how to update Chrome on every operating system.
Technical details
Among the vulnerabilities in the V8 engine there are two that stand out:
CVE-2025-12428 is a high-severity “type confusion” vulnerability in the V8 JavaScript engine. This happens when code doesn’t verify the object type it’s handling and then uses it incorrectly. In other words, the software mistakes one type of data for another—like treating a list as a single value or a number as text. This can cause Chrome to behave unpredictably and, in some cases, let attackers manipulate memory and execute code remotely through crafted JavaScript on a malicious or compromised website. Google paid a $50,000 bounty for its discovery, highlighting its severity.
CVE-2025-12036 involves an inappropriate implementation in V8 and is classified as critical. This one allows remote code execution (RCE)—meaning an attacker could run code on your computer just by getting you to visit a specially crafted page. Google’s Big Sleep project, an AI-driven system that automates vulnerability discovery, found the flaw. It stems from improper handling in the internals of the JavaScript and WebAssembly engines and carries a high risk of data theft, malware installation, or even full system compromise.
Users of other Chromium-based browsers—like Edge, Opera, and Brave—can expect similar updates in the near future.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
