Google has released Chrome version 140.0.7339.127/.128 for Windows, 140.0.7339.132/.133 for Mac, and 140.0.7339.127 for Linux, rolling out over the coming days.
This update incorporates two security fixes contributed by external researchers, including a critical remote code execution vulnerability in Serviceworker and a high-severity logic flaw in the Mojo IPC system.
Critical Use-After-Free in Serviceworker
The most serious flaw, tracked as CVE-2025-10200, is a use-after-free vulnerability within the Serviceworker implementation.
Exploitation could allow a remote attacker to execute arbitrary code in the context of the browser process.
The bug was responsibly disclosed by researcher Looben Yang on August 22, 2025, who received a $43,000 reward for the report.
Service workers are a foundational technology for modern web applications, enabling background script execution and offline capabilities.
This flaw could have been leveraged to bypass same-origin protections.
High-Severity Implementation Error in Mojo
The update also addresses CVE-2025-10201, a vulnerability in Mojo, Chrome’s inter-process communication framework, resulting from an improper implementation.
This flaw was discovered by Sahan Fernando alongside an anonymous researcher and carries a high severity rating.
An attacker exploiting this vulnerability may have manipulated message handling between Chrome components, leading to elevated privileges or memory corruption.
The contribution earned a $30,000 bounty.
Google credits AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL for detecting many of its security bugs.
These tools, integrated into the Chromium build and testing pipelines, continuously scan for memory safety and undefined behavior issues.
Google emphasizes that access to detailed bug information and exploit proof-of-concepts remains restricted until the majority of users receive updates.
Third-party library dependencies shared with other projects may also delay public disclosure if they lack their own fixes.
Chrome users are encouraged to update immediately through the browser’s built-in mechanism or by downloading the latest binaries.
IT administrators should verify that enterprise policies permit automatic updates and deploy this version across managed fleets.
For those curious about switching release channels or participating in early testing, Google directs users to its developer channel signup.
Any newly discovered issues can be reported via the Chromium bug tracker, and community support is available through Google’s help forum.
| CVE Identifier | Description | Severity | Reward | Reporter |
|---|---|---|---|---|
| CVE-2025-10200 | Use-after-free in Serviceworker | Critical | $43,000 | Looben Yang |
| CVE-2025-10201 | Inappropriate implementation in Mojo | High | $30,000 | Sahan Fernando & Anon |
By addressing these vulnerabilities swiftly and rewarding external researchers, Google continues to bolster Chrome’s resilience against emerging threats.
Users who maintain up-to-date installations benefit from layers of defense designed to prevent critical bugs from ever reaching the stable channel.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=This update incorporates two security fixes contributed by external researchers, including a critical remote code execution vulnerability in Serviceworker){kind=link}