Google has rolled out Chrome 137.0.7151.55/56 to its stable channel for Windows, macOS, and Linux, addressing 11 security vulnerabilities, including two high-severity flaws enabling remote code execution.
The update, deployed incrementally starting May 28, 2025, mitigates risks posed by memory corruption bugs in core browser components like the V8 JavaScript engine and rendering systems.
Security researchers identified seven externally reported issues, with Google paying $7,500 in bug bounties and withholding technical details until most users update.
The update resolves CVE-2025-5063, a high-severity use-after-free vulnerability in Chrome’s compositing subsystem that malicious actors could exploit to execute arbitrary code via specially crafted HTML pages.
This risk stems from improper memory management when rendering layered page elements, potentially allowing attackers to hijack control flow during DOM manipulations.
Equally critical is CVE-2025-5280, an out-of-bounds write flaw in the V8 JavaScript engine that corrupts memory during array operations.
Successful exploitation could let attackers bypass sandbox protections and run native code on target systems. Google’s V8 team implemented stricter bounds-checking and hardened garbage collection to prevent such scenarios.
Both vulnerabilities received “High” severity ratings due to their low attack complexity and lack of user interaction requirements.
While Google restricts full technical disclosure until widespread adoption of Chrome 137, enterprise administrators should prioritize updates given the active exploitation risks associated with similar memory corruption flaws in 2024.
API Misconfigurations and Defense-in-Depth
The update patches five medium-severity issues across Chrome’s API implementations.
CVE-2025-5064 in the Background Fetch API allowed unauthorized cross-origin data access by mishandling service worker permissions.
Similarly, CVE-2025-5065 in the FileSystemAccess API exposed local files through race conditions during drag-and-drop operations.
Notably, CVE-2025-5281 corrects a Back/Forward Cache (BFCache) implementation error that leaked authentication tokens during session restorations.
This class of vulnerability aligns with growing concerns about browser caching mechanisms inadvertently preserving sensitive data.
While less critical, this fix highlights Chrome’s layered security approach, combining sandboxing, site isolation, and privilege reduction to contain breaches.
Enterprise Implications and Mitigation Strategies
The update’s 11 fixes include four internal discoveries via fuzzing campaigns and static analysis tools like AddressSanitizer and Control Flow Integrity.
Google also addressed a low-severity tab management flaw (CVE-2025-5067) enabling UI spoofing attacks through malformed favicon URLs.
These automated defenses now block 72% of memory-related exploits pre-release, per Chrome’s security team.
Organizations should:
- Enforce automatic updates via enterprise policies to ensure all devices reach Chrome 137 within 72 hours.
- Audit extension permissions, as patched APIs like Background Fetch and FileSystemAccess are common extension attack vectors.
- Monitor for CVE-2025-5283 exploitation, a medium-severity libvpx vulnerability remotely triggerable through malformed WebM videos.
While Google confirmed no active exploits at release, the delayed disclosure timeline for CVE-2025–5063 and CVE-2025-5280 suggests these flaws may exist in other Chromium-based browsers still awaiting patches.
Microsoft Edge and Brave Software typically issue parallel updates within 48 hours of Chrome’s releases.
This update underscores Chrome’s evolving focus on memory safety, with 63% of 2025’s patched vulnerabilities stemming from C/C++ memory mismanagement.
Upcoming Chrome versions will increasingly integrate Rust components, starting with the QUIC protocol stack in Q3 2025.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=1200&resize=1200,0&ssl=1&description=Google has rolled out Chrome 137.0.7151.55/56 to its stable channel for Windows, macOS, and Linux, addressing 11 security vulnerabilities.){kind=link}