Chrome Vulnerabilities Arbitrary Code

Google has rolled out a critical security update for Chrome 135 across all desktop platforms. The update addresses fourteen vulnerabilities, including high-severity flaws that could enable remote code execution.

The stable channel update (135.0.7049.52 for Linux, 135.0.7049.41/42 for Windows/macOS) comes with urgent patches for multiple memory corruption and implementation flaws actively exploited in the wild.

High-Severity Vulnerability

The most severe vulnerability (CVE-2025-3066) involves a use-after-free flaw in navigation processes that could let attackers execute arbitrary code via crafted web pages.

Google News

Reported by Sven Dysthe through Chrome’s Vulnerability Reward Program, this memory corruption flaw carries a “High” severity rating.

Medium-Risk Vulnerabilities

Five medium-severity fixes address implementation flaws across key components:

  • Custom Tabs vulnerability (CVE-2025-3067) allowing privilege escalation ($10,000 bounty).
  • Intents handler bypass (CVE-2025-3068) enabling unauthorized actions ($2,000 bounty).
  • Extension system flaws (CVE-2025-3069/3070) permitting malicious payload injection.

Notably, one extension vulnerability report dates back to 2017, revealing long-standing architectural issues in Chrome’s permission model.

Low-Severity Vulnerabilities

The update resolves four lower-risk implementation issues:

  • Navigation handling (CVE-2025-3071)
  • Custom Tabs validation (CVE-2025-3072)
  • Autofill protections (CVE-2025-3073)
  • Download protections (CVE-2025-3074)

External researchers claimed $17,000 in bounties for identifying vulnerabilities, with TU Wien researcher Philipp Beer receiving the highest individual payout. The patch also includes fixes from Google’s internal security teams using advanced hardening measures:

Update Recommendations

Chrome users should immediately:

  1. Navigate to chrome://settings/help
  2. Allow automatic update installation
  3. Restart the browser

Enterprise administrators can force updates through group policies (version 135.0.7049.52+). Google has restricted detailed technical disclosures until most users update, following standard coordinated vulnerability disclosure practices.

This update highlights Chrome’s ongoing security challenges despite massive investments in sandboxing and process isolation. The inclusion of vulnerabilities reported as early as 2017 suggests some architectural limitations persist in the browser’s 16-year-old codebase.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free

Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Facebook Linkedin