Multiple Chrome Vulnerabilities Enable Remote Code Execution by Attackers

Google has released an emergency security update for its Chrome browser to address two critical vulnerabilities that could potentially allow attackers to execute malicious code remotely on affected systems.

The update, rolling out to Chrome version 137.0.7151.103/.104 for Windows and Mac, and 137.0.7151.103 for Linux, represents a significant security milestone as both vulnerabilities carry high severity ratings and were discovered by external security researchers.

The latest Chrome security update tackles two distinct but equally dangerous vulnerabilities that posed serious risks to user security.

The first vulnerability, designated CVE-2025-5958, involves a “use after free” condition in Chrome’s media handling components.

This type of vulnerability occurs when the browser attempts to access memory that has already been freed, potentially allowing attackers to manipulate memory allocation and execute arbitrary code on the victim’s system.

The second vulnerability, identified as CVE-2025-5959, represents a type confusion vulnerability within the V8 JavaScript engine that powers Chrome’s web page rendering and script execution.

Type confusion vulnerabilities are particularly dangerous because they can allow attackers to bypass security mechanisms by tricking the browser into treating one data type as another, potentially leading to memory corruption and subsequent code execution.

Both vulnerabilities were classified as “High” severity by Google’s security team, indicating they pose significant risks to user privacy and system integrity.

The discovery and responsible disclosure of these vulnerabilities highlight the ongoing cat-and-mouse game between security researchers and potential threat actors in the browser security landscape.

Multiple Chrome Vulnerabilities

The technical nature of these vulnerabilities makes them particularly concerning for cybersecurity professionals and end users alike.

Use after free vulnerabilities like CVE-2025-5958 are frequently exploited in real-world attacks because they can provide attackers with precise control over memory allocation patterns.

When successfully exploited, such vulnerabilities can allow remote code execution without requiring any user interaction beyond visiting a maliciously crafted website.

The V8 engine vulnerability presents additional risks due to the ubiquitous nature of JavaScript in modern web applications.

Since V8 processes JavaScript code from virtually every website users visit, a type confusion vulnerability in this component could be triggered through various attack vectors, including malicious advertisements, compromised websites, or specially crafted web content.

Google’s decision to withhold detailed technical information about these vulnerabilities follows industry best practices for responsible disclosure.

The company typically restricts access to detailed vulnerability information until a majority of users have updated their browsers, preventing potential attackers from reverse-engineering the fixes to develop functional exploits.

Responsible Disclosure

According to Report, the discovery of these vulnerabilities underscores the critical role that external security researchers play in maintaining browser security.

CVE-2025-5958 was identified by Huang Xilin from Ant Group Light-Year Security Lab and reported to Google on May 25, 2025.

For this discovery, Google awarded an $8,000 bounty through its Vulnerability Reward Program, demonstrating the company’s commitment to incentivizing responsible security research.

The second vulnerability, CVE-2025-5959, was discovered by Seunghyun Lee as part of the TyphoonPWN 2025 competition and reported on June 4, 2025.

Security competitions like TyphoonPWN serve as important venues for researchers to showcase their skills while contributing to overall internet security through the discovery of previously unknown vulnerabilities.

Users are strongly encouraged to update their Chrome browsers immediately through the browser’s automatic update mechanism or by manually checking for updates through the Help menu.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.