Google Chrome 140 Patches Six Remote Code Execution Flaws

Google has officially released Chrome 140 to the stable channel for Windows, Mac, and Linux platforms, marking another significant milestone in the browser’s continuous evolution toward enhanced security and performance.

The Chrome team announced on September 2, 2025, that this latest version addresses multiple critical vulnerabilities while introducing improvements that strengthen the browser’s overall architecture.

Chrome 140.0.7339.80 for Linux and versions 140.0.7339.80/81 for Windows and Mac represent a comprehensive security-focused update that tackles six distinct vulnerabilities, including a high-severity use-after-free flaw in the V8 JavaScript engine.

The rollout follows Google’s standard phased deployment strategy, ensuring gradual distribution over the coming days and weeks to minimize potential compatibility issues.

Security Vulnerabilities and Research Contributions

The most critical security fix addresses CVE-2025-9864, a high-severity use-after-free vulnerability in V8 discovered by Pavel Kuzmin from Yandex Security Team.

This type of vulnerability occurs when a program continues to use memory after it has been freed, potentially allowing attackers to execute arbitrary code or cause system crashes.

The V8 engine, which powers JavaScript execution in Chrome, represents a high-value target for security researchers due to its central role in web browsing functionality.

Google’s bug bounty program continues to incentivize external security research, with the company distributing $10,000 in total rewards for four medium-severity vulnerabilities.

The security researchers who contributed to this release include Khalil Zhani, who received $5,000 for identifying CVE-2025-9865 in the Toolbar implementation, and NDevTK, who earned $4,000 for discovering CVE-2025-9866 in Extensions functionality.

CVE Identifier	Severity	Component	Researcher	Reward	Discovery Date
CVE-2025-9864	High	V8 Engine	Pavel Kuzmin (Yandex)	Not Disclosed	July 28, 2025
CVE-2025-9865	Medium	Toolbar	Khalil Zhani	$5,000	August 7, 2025
CVE-2025-9866	Medium	Extensions	NDevTK	$4,000	November 16, 2024
CVE-2025-9867	Medium	Downloads	Farras Givari	$1,000	May 4, 2025

Google’s internal security initiatives continue to play a crucial role in vulnerability detection, utilizing advanced tools including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL (American Fuzzy Lop).

These automated testing frameworks enable continuous security auditing throughout the development cycle, identifying potential vulnerabilities before they reach production environments.

The extended stable channel has also received version 140.0.7339.81 for Windows and Mac platforms, providing enterprise users with additional stability testing before widespread deployment.

This dual-channel approach reflects Google’s commitment to balancing rapid security response with enterprise-grade stability requirements, ensuring that critical infrastructure remains protected while minimizing operational disruption.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Google Chrome 140 Patches Six Remote Code Execution Flaws appeared first on Cyber Security News.