Google has rolled out Chrome 143 to the stable channel for Windows, Mac, and Linux, addressing 13 security vulnerabilities in versions 143.0.7499.40 (Linux) and 143.0.7499.40/41 (Windows/Mac).
The update, announced on December 2, 2025, via the Chrome Releases blog, deploys gradually over days or weeks. Change logs appear in the Chromium repository.
This release prioritizes security, patching flaws that could enable arbitrary code execution, data leaks, or crashes.
High-severity issues dominate, including a V8 type confusion bug that can be exploited for remote attacks.
Internal tools like AddressSanitizer and libFuzzer detected many fixes pre-stable. External researchers earned bounties totaling over $15,000.
The update fixes 13 issues, detailed below. Access to complete bug reports remains restricted until most users update, per Chromium policy.
| CVE ID | Severity | Component | Description | Reporter | Bounty |
|---|---|---|---|---|---|
| CVE-2025-13630 | High | V8 | Type confusion | Shreyas Penkar | $11,000 |
| CVE-2025-13631 | High | Google Updater | Inappropriate implementation | Jota Domingos | $3,000 |
| CVE-2025-13632 | High | DevTools | Inappropriate implementation | Leandro Teles | TBD |
| CVE-2025-13633 | High | Digital Credentials | Use after free | Chrome | N/A |
| CVE-2025-13634 | Medium | Downloads | Inappropriate implementation | Eric Lawrence (MS) | N/A |
| CVE-2025-13720 | Medium | Loader | Bad cast | Chrome | N/A |
| CVE-2025-13721 | Medium | V8 | Race condition | Chrome | N/A |
| CVE-2025-13635 | Low | Downloads | Inappropriate implementation | Hafiizh | $3,000 |
| CVE-2025-13636 | Low | Split View | Inappropriate implementation | Khalil Zhani | $1,000 |
| CVE-2025-13637 | Low | Downloads | Inappropriate implementation | Hafiizh | TBD |
| CVE-2025-13638 | Low | Media Stream | Use after free | sherkito | TBD |
| CVE-2025-13639 | Low | WebRTC | Inappropriate implementation | Philipp Hancke | TBD |
| CVE-2025-13640 | Low | Passwords | Inappropriate implementation | Anonymous | TBD |
Standout flaws include CVE-2025-13630, a V8 type confusion vulnerability that allows memory corruption, potentially leading to sandbox escape and arbitrary code execution via heap spraying.
V8 races (CVE-2025-13721) and use-after-free errors (CVE-2025-13633, -13638) pose similar risks for exploits in rendering pipelines.
DevTools and Updater bugs (CVE-2025-13632, -13631) expose debugging tools and auto-updates to injection.
Downloads saw repeated fixes for path-traversal and UI-spoofing vulnerabilities. WebRTC and password issues could leak media streams or credentials.
Update immediately via Chrome’s built-in tool (chrome://settings/help) to mitigate zero-day risks. Chromium credits researchers and fuzzers for proactive defense.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…