Chrome Update Fixes High-Severity Vulnerabilities Allowing Arbitrary Code Execution

Google has released a critical security update for Chrome, addressing six vulnerabilities that pose serious threats to user security.

The update, Chrome version 139.0.7258.127/.128 for Windows and Mac, and 139.0.7258.127 for Linux, began rolling out on August 12, 2025, and will reach all users over the coming weeks.

The security patches target three high-severity vulnerabilities that could potentially allow arbitrary code execution, giving attackers complete control over affected systems.

These vulnerabilities affect core browser components including the V8 JavaScript engine, media processing libraries, and graphics systems, making them particularly dangerous for widespread exploitation.

The most severe vulnerability, CVE-2025-8879, involves a heap buffer overflow in libaom, the widely-used AV1 video codec library.

Reported by an anonymous researcher on July 15, 2025, this vulnerability could allow attackers to write data beyond allocated memory boundaries when processing malicious video content.

Heap buffer overflows are particularly dangerous as they enable attackers to overwrite critical memory regions and execute arbitrary code.

CVE-2025-8880 addresses a race condition in Chrome’s V8 JavaScript engine, discovered by security researcher Seunghyun Lee (@0x10n) on July 23, 2025.

Race conditions occur when multiple processes access shared resources simultaneously, creating opportunities for attackers to manipulate program execution and potentially escape browser sandbox restrictions.

Given V8’s central role in processing JavaScript across all browser tabs, this vulnerability represents a significant attack vector.

The third high-severity vulnerability, CVE-2025-8901, involves an out-of-bounds write vulnerability in ANGLE, Google’s graphics abstraction layer that translates OpenGL calls.

This vulnerability was uniquely discovered by Google’s Big Sleep AI system on July 30, 2025, demonstrating the company’s use of artificial intelligence in security research.

By manipulating graphics data, attackers could trigger memory corruption leading to browser crashes or code execution.

Chrome Update Fixes High-Severity Vulnerabilities

Beyond the high-severity vulnerabilities, the update also patches two medium-severity issues: CVE-2025-8881 affecting File Picker implementation and CVE-2025-8882 involving a use-after-free vulnerability in Aura, Chrome’s windowing system.

While less critical, these vulnerabilities could still be exploited in targeted attacks and warrant immediate patching.

Google security team continues to rely heavily on automated testing tools to identify vulnerabilities before they reach stable releases.

The company uses AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL (American Fuzzy Lop) to detect memory corruption and other security issues.

This comprehensive approach to security testing has proven effective in catching vulnerabilities during development cycles.

In line with responsible disclosure practices, Google maintains restrictions on detailed vulnerability information until most users have updated their browsers.

This strategy prevents malicious actors from exploiting vulnerabilities before patches are widely deployed.

The company also extends these restrictions when vulnerabilities exist in third-party libraries that other projects depend on but haven’t yet patched.

Immediate Action Required for All Users

Security experts strongly recommend that all Chrome users update immediately to protect against these serious threats.

The vulnerabilities’ potential for arbitrary code execution makes them high-priority targets for cybercriminals and nation-state actors.

Users can check their Chrome version by navigating to Settings > About Chrome, which will automatically trigger an update if available.

Google has also acknowledged the broader security research community’s contributions to preventing vulnerabilities from reaching stable releases.

The company continues to offer bug bounty rewards for security researchers who responsibly report vulnerabilities, though specific reward amounts for these particular issues have not been disclosed.

This collaborative approach between Google and the security research community remains crucial for maintaining Chrome’s security posture against evolving threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.