Google on Tuesday released Chrome 140 to the stable channel with patches for six vulnerabilities, including a four reported by external researchers.
The most severe of the bugs is CVE-2025-9864, a high-severity use-after-free issue in the V8 JavaScript engine that was reported by the Yandex Security Team.
According to Google’s advisory, no bug bounty reward will be paid for this security defect, and bug details will be kept restricted until the patches reach most users.
A type of memory corruption flaws, use-after-free vulnerabilities in V8 occur when JavaScript code can access objects after their memory has been deallocated, which can lead to heap corruption.
Attackers can potentially exploit the heap corruption via crafted HTML pages, often for remote code execution (RCE).
The remaining three security defects reported by external researchers are medium-severity inappropriate implementation bugs in Chrome’s Toolbar, Extensions, and Downloads components.
Google says it handed out rewards of $5,000, $4,000, and $1,000 for them, respectively. The Extensions flaw was reported in November 2024.
The latest Chrome iteration is now rolling out as versions 140.0.7339.80/81 for Windows and macOS, and as version 140.0.7339.80 for Linux. The extended stable channel has been updated to Chrome 140.0.7339.81 for both Windows and macOS.
Google makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their browsers as soon as possible.
Related: Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers
Related: Password Managers Vulnerable to Data Theft via Clickjacking
Related: Flaw Allowing Website Takeover Found in WordPress Plugin With 400k Installations
Related: Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black
