Google has released a Stable Channel Update for Desktop with builds 140.0.7339.207/.208 for Windows and Mac and 140.0.7339.207 for Linux. The update, rolling out over the coming days and weeks, addresses three high-severity security flaws in Chrome’s V8 JavaScript engine. These vulnerabilities were reported by both independent researchers and Google’s own AI-driven security tools.
The first issue, tracked as CVE-2025-10890, is a side-channel information leakage vulnerability in V8. Reported by Mate Marjanović (SharpEdged) on July 9, 2025, this flaw could allow attackers to infer sensitive data from subtle variations in system behavior. Side-channel issues are particularly dangerous because they bypass traditional permission models—rather than breaking into systems directly, they exploit the traces left by legitimate operations. In the browser context, such attacks can be weaponized to recover secrets like cryptographic keys, session identifiers, or other private user information.
The second vulnerability, CVE-2025-10891, is an integer overflow in V8, reported by Google Big Sleep, an AI vulnerability-hunting system developed by DeepMind and Project Zero, on September 9, 2025. Integer overflows occur when arithmetic operations exceed the maximum values that can be stored in memory, causing unexpected behavior. In a JavaScript engine like V8, such flaws can be exploited to manipulate memory layouts and gain arbitrary code execution. The fact that this bug was caught by an AI-driven system highlights how automated analysis is becoming an essential part of modern security research, especially for complex engines that power web applications used by billions worldwide.
On September 10, 2025, Google Big Sleep identified a second integer overflow vulnerability, assigned CVE-2025-10892. While technically distinct from the previous overflow, this flaw carried similar risks—namely, the ability to destabilize the memory management of V8 and potentially enable arbitrary code execution.
Users on Windows, Mac, and Linux should ensure their browsers are updated to the latest Stable Channel release (140.0.7339.207/.208) to stay protected.
