Chrome Security Update: Fix for 11 Vulnerabilities Allow Malicious Code Execution

Google has released Chrome 138 to the stable channel across Windows, Mac, and Linux platforms, delivering critical security patches that address 11 vulnerabilities, including several that could potentially allow malicious code execution.

The update represents a significant security milestone in Google’s ongoing efforts to protect users from emerging cyber threats.

Chrome 138.0.7204.49 for Linux and Chrome 138.0.7204.49/50 for Windows and Mac systems are now rolling out globally over the coming days and weeks.

This latest stable release marks a substantial security-focused update that addresses multiple vulnerability categories ranging from medium to low severity levels.

The extended stable channel has simultaneously been updated to version 138.0.7204.50 for Windows and Mac users, ensuring comprehensive coverage across Google’s release channels.

The rollout follows Google standard security protocol of restricting access to detailed bug information until the majority of users have received the security fixes.

This approach prevents potential exploitation of vulnerabilities that remain unpatched on older browser versions.

Additionally, Google maintains restrictions on vulnerabilities that exist in third-party libraries upon which other projects depend, protecting the broader software ecosystem until comprehensive fixes are deployed.

Three High-Profile Vulnerabilities

The security update highlights three particularly notable vulnerabilities discovered by external security researchers, each receiving monetary rewards through Google’s bug bounty program.

The most significant finding, CVE-2025-6555, represents a use-after-free vulnerability in the Animation component that earned researcher Lyra Rebane a $4,000 bounty for the March 2025 discovery.

This medium-severity vulnerability poses serious risks as use-after-free exploits can potentially lead to arbitrary code execution.

Two additional low-severity vulnerabilities round out the researcher-contributed fixes. CVE-2025-6556, reported by Shaheen Fazim in January 2023, addresses insufficient policy enforcement in the Loader component and earned a $1,000 reward.

Similarly, CVE-2025-6557, discovered by Ameen Basha M K in March 2025, fixes insufficient data validation in DevTools and also received a $1,000 bounty.

These findings demonstrate the ongoing collaborative relationship between Google and the security research community in identifying and addressing potential browser vulnerabilities.

Internal Security Framework

Beyond the externally reported vulnerabilities, Google’s internal security initiatives contributed significantly to Chrome 138’s security improvements.

The company’s ongoing internal audit processes, combined with advanced fuzzing techniques and other security initiatives, identified and resolved numerous additional security issues before they could reach end users.

Google’s security methodology employs a sophisticated array of detection tools including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL (American Fuzzy Lop).

These automated security testing frameworks continuously analyze Chrome’s codebase to identify potential vulnerabilities during the development cycle, preventing security bugs from reaching the stable release channel.

The comprehensive security approach reflects Google’s commitment to proactive threat mitigation rather than reactive patching.

By integrating multiple detection methodologies throughout the development process, the Chrome team can identify and address potential security issues before they become exploitable vulnerabilities in production environments.

Users are encouraged to update their browsers immediately to benefit from these critical security improvements and maintain protection against emerging cyber threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.