Google and Mozilla on Tuesday introduced the rollout of updates for the Chrome and Firefox browsers that handle a number of high-severity reminiscence security vulnerabilities.
Chrome 133 was promoted to the steady channel with 12 security fixes, together with three for flaws reported by exterior researchers.
Two of those bugs, tracked as CVE-2025-0444 and CVE-2025-0445, are use-after-free defects within the open supply 2D graphics library Skia and the V8 JavaScript engine. The third challenge is a medium-severity inappropriate implementation flaw within the Extensions API element.
Google didn’t share technical info on any of those vulnerabilities, however stated it handed out a $7,000 bug bounty reward for the bug in Skia, and $2,000 for the medium-severity flaw. The reward for the second high-severity challenge has but to be decided.
A kind of reminiscence security bugs, use-after-free vulnerabilities might result in code execution, information corruption, or denial of service. In Chrome, they’ll result in a sandbox escape if mixed with a bug in a privileged a part of Chrome.
Use-after-free points influence Firefox as nicely, and Mozilla launched model 135 of the browser with fixes for 2 such high-severity defects, tracked as CVE-2025-1009 and CVE-2025-1010, and impacting the Customized Spotlight API and the Extensible Stylesheet Language Transformations (XSLT) language.
The browser replace additionally fixes CVE-2025-1016 and CVE-2025-1020, two high-severity reminiscence security bugs that would probably result in code execution, and which have an effect on Thunderbird and Firefox ESR as nicely.
Firefox 135 additionally resolves seven medium- and low-severity vulnerabilities that would result in spoofing assaults, code execution, use-after-free, privateness leaks, and improper certificates checks.
Neither Google nor Firefox point out any of those flaws being exploited in assaults, however customers are suggested to replace their browsers as quickly as attainable.
Chrome is now rolling out as variations 133.0.6943.53/54 for Home windows and macOS, and as 133.0.6943.53 for Linux. Firefox 135 was launched together with Thunderbird 135, Thunderbird ESR 128.7, Firefox ESR 128.7, and Firefox ESR 115.20.
