Google says it has discovered three vulnerabilities in Chrome. As the Mountain View giant explains in the advisory published on its website, two of the security flaws were found by external researchers as part of its bug bounty program.
High-severity flaws in Chrome code
The first vulnerability concerns the JavaScript engine V8, which is responsible for executing the code of web pages. Considered high-severity by Google, the flaw occurs when Chrome makes incorrect calculations. The browser is then likely to read or write data to an incorrect location in memory, opening the door to an attack.
To exploit the flaw, the attacker must trap a web page with malicious JavaScript code. This can corrupt memory or execute arbitrary code. In other words, they take control of the browser, and, by extension, the computer. If the booby-trapped page is well-designed, the attack does not require any user interaction.
The second flaw, also of high severity, is located in Chrome's Profiler component, the browser's internal performance measurement tool. When Profiler measures certain performance, it temporarily allocates memory to its activities. Once it's finished, it frees this memory when it's no longer needed. Due to a bug, Chrome mistakenly reuses this freed memory, which can cause corruption that can be exploited by a hacker. With a booby-trapped JavaScript, they can execute code in memory to take control of the browser and steal data. In its warning, Google doesn't mention the third flaw, which was discovered by its teams. The good news is that "Google has not detected any active exploitation of these flaws at the time of publication." The vulnerabilities were discovered by researchers before cybercriminals could. Google releases a patch To thwart potential attacks, Google has deployed an emergency patch on Chrome. The American company explains that it has started rolling out Chrome version 137.0.7151.119/.120 for macOS and Windows, as well as 137.0.7151.119 for Linux, as of Tuesday, June 17, 2025. All PCs will receive the patch "in the coming days/weeks." A few weeks ago, Google already deployed an emergency update to fix a Chrome flaw. However, this flaw was actively exploited by hackers. Update Chrome as soon as possible. Go to About Google Chrome and click Relaunch to complete the installation. Remember to restart Chrome regularly to receive the latest patches. For convenience, enable automatic updates. If you're using a browser like Edge or Brave, consider updating them as well. They're based on the same rendering engine as Chrome, namely Chromium.
Source: Google
0 Comments