Critical security flaw in Chrome discovered by Google's own AI
⭐ Merited by d5000 (1)
recently a zero-day flaw in Chrome’s ANGLE/GPU components, allowing attackers to bypass sandbox protections and potentially execute arbitrary code via malicious WebGL or GPU content
Anyone using the browser should make sure they are using the latest version
Ensure your Chrome browser (or any Chromium-based variant) is updated to at least version 139.0.7258.154 (Linux) or 154/155 (Windows, macOS) — and 139.0.7258.158 on Android.
In the version announcement, Google remains famously tight-lipped about the details of the vulnerability. It is a "use after free" bug where the program code accesses resources that have already been released and therefore have undefined content. This bug can be found in the WebGL render backend Angle (CVE-2025-9478 / EUVD-2025-25822, no CVSS yet, but"critical" risk according to Google). The CVE entry at least reveals that attackers from the network can abuse a memory error on the heap, for example with carefully prepared HTML web pages – often succeeding in infiltrating and executing malicious code, which can also be assumed here due to the severity.
The developers have patched the vulnerability in Google Chrome versions 139.0.7258.158 for Android, 139.0.7258.154 for Linux and 139.0.7258.154/.155 for macOS and Windows. The update is now available for download
If you’re using Chrome—or any Chromium-based browser like Edge, Brave, Opera, or Vivaldi—update immediately to the patched versions to protect against these active threats.
Source https://cybernews.com/security/critical-chrome-flaw-discovered-by-google-ai/
https://www.heise.de/en/news/Google-Chrome-Update-closes-critical-security-vulnerability-10622372.html
Anyone using the browser should make sure they are using the latest version
Ensure your Chrome browser (or any Chromium-based variant) is updated to at least version 139.0.7258.154 (Linux) or 154/155 (Windows, macOS) — and 139.0.7258.158 on Android.
In the version announcement, Google remains famously tight-lipped about the details of the vulnerability. It is a "use after free" bug where the program code accesses resources that have already been released and therefore have undefined content. This bug can be found in the WebGL render backend Angle (CVE-2025-9478 / EUVD-2025-25822, no CVSS yet, but"critical" risk according to Google). The CVE entry at least reveals that attackers from the network can abuse a memory error on the heap, for example with carefully prepared HTML web pages – often succeeding in infiltrating and executing malicious code, which can also be assumed here due to the severity.
The developers have patched the vulnerability in Google Chrome versions 139.0.7258.158 for Android, 139.0.7258.154 for Linux and 139.0.7258.154/.155 for macOS and Windows. The update is now available for download
If you’re using Chrome—or any Chromium-based browser like Edge, Brave, Opera, or Vivaldi—update immediately to the patched versions to protect against these active threats.
Source https://cybernews.com/security/critical-chrome-flaw-discovered-by-google-ai/
https://www.heise.de/en/news/Google-Chrome-Update-closes-critical-security-vulnerability-10622372.html