Google seals critical security vulnerability in Chrome
Google is patching a security vulnerability in the Chrome web browser that has been classified as a critical risk. Users should update quickly.
Security gaps in Google Chrome put users at risk.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
An updated version of the Chrome web browser has been released, closing a security vulnerability classified as critical. Chrome users should ensure that they are running the latest version.
In a version announcement, Google's developers very briefly outline the vulnerabilities that the new version closes. "Heap-based buffer leakage in codecs", they indicate there, with the CVE entry CVE-2025-3619 and the classification of the risk as "critical". A specific CVSS value is missing, as is usual with Google's Chrome vulnerability reports. There are no further details, but it can be deduced that even the processing of manipulated multimedia files such as videos can lead to the device being compromised.
Two security vulnerabilities in Chrome
The second vulnerability is a use-after-free vulnerability in Chrome's USB code. The program code incorrectly accesses resources that have already been released and whose content is therefore undefined. This can often be misused to inject and execute malicious code – apparently also in this case, which implies the risk classification as "high" for the CVE entry CVE-2025-3620.
The browser versions 135.0.7049.95/.96 for macOS and Windows, 135.0.7049.95 for Linux, 135.0.7049.100 for Android and the extended stable version 134.0.6998.205 for macOS and Windows represent the current status. They no longer contain the security vulnerabilities.
Videos by heise
Clicking on the icon with the three stacked dots to the right of the browser's address bar opens the Chrome menu, under "Help" – "About Google Chrome" takes you to the version dialog. This shows the current software version. If updates are available, the dialog downloads and installs them immediately and then prompts you to restart the browser to activate the error-corrected software. Under Linux, the software management of the distribution used is usually responsible for the update.
The vulnerabilities are also likely to affect other Chromium-based web browsers such as Microsoft Edge, for which software updates are also expected shortly. Users should also apply these quickly.
Vulnerabilities in popular web browsers are the preferred target of cybercriminals, as was the case around three weeks ago when criminals attacked a Chrome vulnerability in the wild. The update should therefore not be put on the back burner.
(dmk)
