Google has released Chrome version 140.0.7339[.]207 for Windows and Linux, and version 140.0.7339[.]208 for Mac, addressing three critical security vulnerabilities discovered in the browser’s V8 JavaScript engine.
The update, released on September 23, 2025, includes patches for high-severity flaws that could potentially allow attackers to exploit information leakage and integer overflow vulnerabilities.
The security update represents Google’s continued commitment to protecting Chrome users from emerging threats, with the company acknowledging contributions from external security researchers and its own automated security testing systems.
Users are encouraged to update their browsers immediately as the patches roll out globally over the coming days and weeks.
V8 Engine Vulnerabilities
The three vulnerabilities patched in this update all affect Chrome’s V8 JavaScript engine, which is responsible for executing JavaScript code in web pages.
The most concerning of these is CVE-2025-10890, a side-channel information leakage vulnerability discovered by security researcher Mate Marjanović from SharpEdged on July 9, 2025.
- CVE-2025-10890: Side-channel information leakage vulnerability in V8 engine.
- CVE-2025-10891: Integer overflow flaw discovered by Google Big Sleep system.
- CVE-2025-10892: Second integer overflow vulnerability found one day after CVE-2025-10891.
- Impact: All three vulnerabilities carry high severity ratings due to potential exploitation risks.
- Affected Component: V8 JavaScript engine used across all Chrome installations.
Side-channel attacks represent a particularly sophisticated threat vector where attackers can extract sensitive information by analyzing indirect information such as timing data, power consumption, or electromagnetic emissions.
In the context of a web browser’s JavaScript engine, such vulnerabilities could potentially allow malicious websites to access sensitive data from other tabs or applications running on the same system.
The remaining two vulnerabilities, CVE-2025-10891 and CVE-2025-10892, are both integer overflow flaws in the V8 engine discovered by Google’s Big Sleep system on September 9 and 10, 2025, respectively.
Integer overflow vulnerabilities occur when arithmetic operations result in values that exceed the maximum size that can be stored in a given data type, potentially leading to memory corruption and arbitrary code execution.
Google Big Sleep AI System
Notably, two of the three vulnerabilities were identified by Google Big Sleep, an artificial intelligence-powered security research system developed by Google.
This marks a significant milestone in automated vulnerability discovery, demonstrating how AI systems can now identify complex security flaws that might otherwise go unnoticed by human researchers.
- AI-Powered Discovery: Google Big Sleep identified CVE-2025-10891 and CVE-2025-10892 within 24 hours.
- Advanced Detection: AI system can identify complex integer overflow vulnerabilities automatically.
- Systematic Approach: Demonstrates potential for AI-driven vulnerability research at scale.
- Industry Impact: Could revolutionize how software security flaws are discovered and patched.
- Rapid Identification: Both vulnerabilities found on consecutive days in September 2025.
The Big Sleep system’s ability to discover integer overflow vulnerabilities in V8 within a single day of each other suggests a systematic approach to security testing that could revolutionize how software vulnerabilities are identified and patched.
This development comes at a time when the cybersecurity industry is increasingly exploring AI-driven approaches to threat detection and vulnerability research.
Google has not disclosed specific details about the exploitation potential of these vulnerabilities, following the company’s standard practice of restricting access to bug details until the majority of users have updated their browsers.
This approach helps prevent malicious actors from developing exploits while legitimate users are still running vulnerable versions of the software.
Automated Testing and Collaboration Boost Security
The Chrome security team continues to leverage multiple automated security testing tools to identify vulnerabilities before they reach stable releases.
These include AddressSanitizer for detecting memory corruption bugs, MemorySanitizer for identifying uninitialized memory access, UndefinedBehaviorSanitizer for catching undefined behavior, Control Flow Integrity for preventing code-reuse attacks, and fuzzing tools like libFuzzer and AFL.
This multi-layered approach to security testing, combined with contributions from external security researchers, creates a comprehensive security framework that helps protect Chrome’s billions of users worldwide.
The company maintains an active bug bounty program that incentivizes security researchers to responsibly disclose vulnerabilities rather than selling them to malicious actors.
Users should ensure their Chrome browsers update automatically to the latest version, or manually check for updates through the browser’s settings menu.
System administrators in enterprise environments should prioritize deploying this security update across their organizations to protect against potential exploitation of these V8 engine vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
