BURSTGoogle Chrome has released a critical security update addressing six vulnerabilities that could potentially enable arbitrary code execution on affected systems.
The stable channel update to version 139.0.7258.127/.128 for Windows and Mac, and 139.0.7258.127 for Linux, contains patches for multiple high-severity security flaws that pose significant risks to user data and system integrity.
Key Takeaways
1. Chrome fixes six vulnerabilities, including three that enable code execution.
2. Affects V8 engine and graphics - allows malicious code execution.
3. Update Chrome now via Settings > About Chrome.
High-Severity Vulnerabilities Addressed
The security update targets three high-severity vulnerabilities that could lead to arbitrary code execution.
CVE-2025-8879 represents a heap buffer overflow vulnerability in the libaom library, which handles video encoding and decoding operations.
This type of vulnerability allows attackers to write data beyond allocated memory boundaries, potentially overwriting critical system information.
CVE-2025-8880 addresses a race condition in Google’s V8 JavaScript engine, reported by security researcher Seunghyun Lee.
Race conditions occur when multiple processes attempt to access shared resources simultaneously, creating unpredictable behavior that attackers can exploit.
The third high-severity flaw, CVE-2025-8901, involves an out-of-bounds write vulnerability in ANGLE (Almost Native Graphics Layer Engine), which translates OpenGL ES API calls to hardware-supported APIs.
Chrome’s security team utilized multiple advanced detection methodologies to identify these vulnerabilities, including AddressSanitizer for detecting memory corruption bugs, MemorySanitizer for uninitialized memory reads, and UndefinedBehaviorSanitizer for catching undefined behavior in C/C++ code.
The update also incorporates Control Flow Integrity mechanisms and findings from libFuzzer and AFL (American Fuzzy Lop) testing frameworks.
Medium- Severity Vulnerabilities Addressed
Additional medium-severity vulnerabilities were also patched, including CVE-2025-8881, which addresses inappropriate implementation in the File Picker component, and CVE-2025-8882, a use-after-free vulnerability in the Aura windowing system.
Use-after-free vulnerabilities occur when programs continue to use memory after it has been freed, leading to potential code execution opportunities.
| CVE ID | Title | Severity |
| CVE-2025-8879 | Heap buffer overflow in libaom | High |
| CVE-2025-8880 | Race in V8 | High |
| CVE-2025-8901 | Out of bounds write in ANGLE | High |
| CVE-2025-8881 | Inappropriate implementation in File Picker | Medium |
| CVE-2025-8882 | Use after free in Aura | Medium |
Mitigations
These vulnerabilities collectively present serious security risks, as heap buffer overflows and race conditions in core browser components can be exploited to execute malicious code with browser privileges.
The automatic rollout will occur over the coming days and weeks, but users should manually update Chrome through Settings > About Chrome.
System administrators should prioritize this update deployment, particularly in enterprise environments where browsers process sensitive data.
The Chrome team’s collaboration with external security researchers, including anonymous contributors and Google’s Big Sleep project, demonstrates the ongoing effort to identify and remediate security vulnerabilities before they reach stable release channels.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Multiple Chrome High-Severity Vulnerabilities Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.