Google has released a new Stable Channel update for Chrome 141.0.7390.65/.66 on Windows and macOS and 141.0.7390.65 for Linux, addressing three significant that could allow attackers to exploit memory-related for potential code execution or data exposure. The rollout will occur progressively over the coming days and weeks.
The first and most notable fix in this release is CVE-2025-11458, a high-severity heap buffer overflow located in Chrome’s Sync component. This was reported by raven of KunLun Lab on September 5, 2025, and earned a $5,000 reward from Google’s Rewards Program (VRP).
A heap buffer overflow occurs when a program writes data beyond the allocated memory buffer, potentially overwriting critical memory regions. In Chrome’s Sync feature—which synchronizes browsing data such as bookmarks, history, and settings across devices—this could have allowed a maliciously crafted payload to trigger memory corruption, leading to a browser crash or even arbitrary code execution.
The second fix, CVE-2025-11460, is another high-severity vulnerability involving a use-after-free (UAF) bug within Chrome’s Storage component. It was reported by an independent researcher known as Sombra on September 23, 2025, and Google has classified the issue as critical to patch, though the reward amount has not yet been determined.
A use-after-free arises when a program continues to use a memory pointer after it has been freed, leading to unpredictable behavior such as information leakage or remote code execution. In Chrome’s case, the Storage subsystem manages access to local data stores like IndexedDB, LocalStorage, and Cache APIs—features frequently used by web applications for offline capability and performance.
If exploited, attackers could craft malicious web pages that trigger unsafe memory reuse during data storage or retrieval, potentially allowing them to execute arbitrary code within the browser sandbox. While Chrome’s multiprocess architecture provides significant protection against such exploits, use-after-free remain one of the most commonly targeted classes of in browser-based attacks.
The third fix, CVE-2025-11211, addresses a medium-severity out-of-bounds read in WebCodecs, a relatively new web API used for efficient video and audio processing within Chrome. This vulnerability was reported by Jakob Košir on August 29, 2025, and awarded a $3,000 bounty.
An out-of-bounds read occurs when a program attempts to access memory outside the intended buffer range, potentially exposing sensitive information or causing unexpected behavior. In the context of WebCodecs, the issue could have been exploited by specially crafted media files to leak memory contents or destabilize the browser during decoding operations.
Users are urged to update their browsers immediately to the latest version. Updates can be applied manually by navigating to Settings → Help → About Google Chrome, which will automatically trigger a check for the latest version and restart the browser once installed.
- Google Drive Desktop Gets Major Redesign: Unified UI Centralizes Files, Sync & Notifications
- PoC Released for Linux Kernel Escalates Privileges Flaw
- Xbox’s New ‘Play History Sync’ Feature is a Game-Changer
- Google Chrome Tests AI-Driven Auto Password Change for Breached Accounts
- iOS 26 Unveils New Wi-Fi Sync: Auto-Login for Public Networks Across All Your Apple Devices
