Google’s October 2025 desktop update for Chrome addresses three critical memory handling flaws that could allow drive-by arbitrary code execution, underscoring the importance of immediate patch deployment.
Overview of the October Update
Google released Chrome version 141.0.7390.65/.66 for Windows and macOS, and 141.0.7390.65 for Linux.
This security update resolves three vulnerabilities, all memory handling errors, that attackers could exploit simply by luring users to malicious web content.
No additional privileges are required, greatly increasing the risks posed by drive-by downloads or malicious advertisements.
External researchers uncovered these issues through Google’s Vulnerability Reward Program and received bounties ranging from $3,000 to $5,000 based on severity and complexity.
Details of the Flaws
The first high-severity flaw, CVE-2025-11458, is a heap buffer overflow in the Chrome Sync component.
By sending specially crafted synchronization data, an attacker can overflow a memory buffer and execute arbitrary code in the context of the browser process.
This vulnerability was reported by “raven” from KunLun Lab on September 5, 2025, and earned a $5,000 reward.
The second high-severity issue, CVE-2025-11460, is a use-after-free in the Storage component.
A malicious script or web page can free a storage object prematurely and then access it, causing memory corruption.
Researcher Sombra reported this on September 23, 2025; Google has yet to announce the exact bounty.
The medium-severity vulnerability, CVE-2025-11211, involves an out-of-bounds read in the WebCodecs API.
By supplying malformed input to the media decoding interface, an attacker can read beyond allocated memory, potentially leading to data corruption or setting the stage for further exploitation.
Jakob Košir disclosed this flaw on August 29, 2025, and received a $3,000 reward.
| CVE Identifier | Impact | Reported by |
|---|---|---|
| CVE-2025-11458 | High | raven at KunLun Lab |
| CVE-2025-11460 | High | Sombra |
| CVE-2025-11211 | Medium | Jakob Košir |
A minimal JavaScript proof-of-concept for CVE-2025-11458 demonstrates the overflow by constructing an oversized ArrayBuffer and passing it to the Sync API as follows:
javascriptlet syncData = new Uint8Array(1024 * 1024 + 8).fill(0x41);
chrome.sync.set(syncData).then(() => console.log('Sync update complete'));
Successful execution is indicated by a crash log entry containing the term HeapBufferOverflow and a stack trace referencing chrome_sync.
Administrators should monitor endpoint logs for such crash signatures.
All users should verify automatic updates or manually navigate to About Google Chrome in the browser settings to ensure they are running version 141.0.7390.65/.66.
Enterprises deploying Chrome via group policies must roll out this update across all managed devices without delay.
Web developers can mitigate risk by enforcing strict Content Security Policy (CSP) headers to restrict script sources and by validating or sanitizing user-supplied data before invoking media or storage APIs.
Security teams are encouraged to integrate runtime memory safety tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and Control Flow Integrity into development pipelines to detect similar issues earlier.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA’s Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Google’s October 2025 desktop update for Chrome addresses three critical memory handling flaws that could allow drive-by arbitrary code execution){kind=link}