Google has released an important security update for Chrome Desktop, addressing two high-severity vulnerabilities that could enable attackers to execute malicious code remotely on users’ systems.

The Stable channel has been updated to version 137.0.7151.103/.104 for Windows and Mac, and 137.0.7151.103 for Linux, which will roll out over the coming days and weeks.

Critical Security Vulnerabilities Addressed

This update includes two significant security fixes that were discovered by external security researchers and reported through Google’s vulnerability disclosure program.

CVE-2025-5958: Use After Free in Media Component

The first vulnerability, tracked as CVE-2025-5958, is a use-after-free flaw in Chrome’s media component that carries a high severity rating. This dangerous memory corruption vulnerability was discovered and reported by Huang Xilin of Ant Group Light-Year Security Lab on May 25, 2025. Google awarded an $8,000 bug bounty for this discovery, reflecting the serious nature of the security flaw.

Use-after-free vulnerabilities occur when a program continues to use memory after it has been freed, creating opportunities for attackers to manipulate freed memory addresses. In this case, the flaw can be triggered when Chrome attempts to use a media object that has already been freed from memory.

Attackers could potentially exploit this vulnerability by crafting malicious web pages with specially designed media content that triggers the use-after-free condition, leading to arbitrary code execution.

CVE-2025-5959: Type Confusion in V8 JavaScript Engine

The second vulnerability, CVE-2025-5959, is a type confusion flaw in V8, Chrome’s JavaScript and WebAssembly engine.

Security researcher Seunghyun Lee reported this high-severity issue as part of the TyphoonPWN 2025 hacking competition on June 4, 2025. TyphoonPWN is an annual live hacking competition held at TyphoonCon, an offensive security conference in Seoul, South Korea.

Type confusion vulnerabilities occur when the browser misinterprets the type of an object during execution, which can be exploited to read or write to arbitrary memory locations. This type of flaw can ultimately enable attackers to achieve sandbox escape or remote code execution by manipulating memory allocations and causing heap corruption.

Both vulnerabilities pose significant risks to Chrome users, as they could allow remote attackers to execute arbitrary code through specially crafted HTML pages.

The vulnerabilities are particularly dangerous because they can be leveraged in drive-by attacks, where users become victims simply by visiting a malicious website. Such attacks could enable cybercriminals to download and execute malware, hijack browser sessions, steal authentication tokens, exfiltrate sensitive data, or escalate privileges for deeper system access.

Time to Update!

As is standard practice with Chrome security updates, Google has temporarily restricted access to technical details about these vulnerabilities to protect users until the majority have received the update. The company will also maintain these restrictions if the bugs exist in third-party libraries that other projects depend on but haven’t yet fixed.

This latest security update continues Google’s ongoing efforts to address Chrome vulnerabilities throughout 2025, following previous patches for actively exploited zero-day flaws earlier this year. The company has already patched multiple zero-day vulnerabilities in 2025, including CVE-2025-5419 and CVE-2025-2783, which were actively exploited in the wild.

Chrome users are strongly advised to update their browsers immediately to the latest version to protect against potential attacks. The update will automatically roll out to users over the coming weeks, but users can manually check for updates by navigating to Chrome menu > Help > About Google Chrome.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as they become available.

Google expressed gratitude to all security researchers who worked with the company during the development cycle to prevent security bugs from reaching the stable channel, highlighting the critical role of the security research community in maintaining browser security.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

The post Multiple Chrome Vulnerabilities Allow Attackers to Execute Malicious Code Remotely appeared first on Cyber Security News.