Chrome Issues Urgent Update To Fix Multiple Remote Code Execution Vulnerabilities

Google has rolled out an emergency update for its Chrome browser across multiple platforms, addressing a cluster of critical vulnerabilities that could enable remote code execution (RCE) attacks.

The update, version 142.0.7444.134 for desktop and 142.0.7444.138 for Android, patches five security flaws, three of which carry high severity ratings.

Announced on November 5, 2025, this release underscores the ongoing cat-and-mouse game between browser developers and cybercriminals exploiting web technologies for malicious gains.

The vulnerabilities primarily affect core components like WebGPU, V8 JavaScript engine, and the browser’s user interface layers.

RCE flaws in browsers like Chrome pose severe risks, allowing attackers to run arbitrary code on victims’ devices simply by luring them to a compromised webpage—no user interaction required beyond loading the site.

This could lead to data theft, malware installation, or full system compromise, especially on unpatched systems.

Unpacking The Patched Flaws

Among the high-severity issues, CVE-2025-12725 involves an out-of-bounds write in WebGPU, a graphics API integrated into Chrome for high-performance rendering.

Discovered by an anonymous researcher on September 9, 2025, this bug could corrupt memory and execute code if exploited through malicious shaders or GPU workloads.

WebGPU’s growing adoption in web apps for gaming and AI makes this particularly alarming, as it expands the attack surface beyond traditional JavaScript.

Another high-risk flaw, CVE-2025-12726, stems from an inappropriate implementation in the Views component, reported by Alesandro Ortiz on September 25, 2025.

This could allow attackers to manipulate browser UI elements, potentially bypassing sandbox protections and injecting code.

The V8 engine fares no better with CVE-2025-12727, a high-severity issue flagged by researcher 303f06e3 on October 23, 2025. V8 powers JavaScript execution, and flaws here have historically fueled widespread exploits, including those in the wild.

Two medium-severity vulnerabilities in the Omnibox the browser’s address bar round out the fixes.

CVE-2025-12728, reported by Hafiizh on October 16, 2025, and CVE-2025-12729, disclosed by Khalil Zhani on October 23, 2025, involve implementation errors that might enable phishing or injection attacks during URL processing.

CVE ID	Severity	Component	Description	Affected Versions	CVSS Score (v3.1)	Reporter Date
CVE-2025-12725	High	WebGPU	Out-of-bounds write enabling memory corruption and potential RCE	Chrome < 142.0.7444.134 (Desktop), < 142.0.7444.138 (Android)	8.8	Anonymous, 2025-09-09
CVE-2025-12726	High	Views	Inappropriate implementation allowing UI manipulation and sandbox escape	Same as above	8.1	Alesandro Ortiz, 2025-09-25
CVE-2025-12727	High	V8	Inappropriate implementation in JavaScript engine leading to RCE	Same as above	8.8	303f06e3, 2025-10-23
CVE-2025-12728	Medium	Omnibox	Implementation flaw in address bar processing	Same as above	6.5	Hafiizh, 2025-10-16
CVE-2025-12729	Medium	Omnibox	Similar Omnibox issue enabling potential injection	Same as above	6.1	Khalil Zhani, 2025-10-23

Why Update Now and How To Stay Safe

These patches arrive amid rising browser-based threats, with RCE exploits often chaining multiple bugs for devastating impact.

Google credits tools like AddressSanitizer and libFuzzer for early detection, but external researchers played a pivotal role.

The fixes sync across desktop (Windows, Mac, Linux) and Android, with iOS updates following suit in stable and beta channels.

Users should update immediately via Google Play for Android or through Chrome’s built-in updater (Settings > About Chrome).

Enable auto-updates to avoid delays. For enterprises, prioritize deployment to mitigate zero-day risks.

As Chrome powers over 65% of the browser market, timely patches are crucial in defending against sophisticated attacks targeting everyday web browsing.