Google Chrome: Update closes critical security vulnerability

The developers have closed a security vulnerability in the Google Chrome web browser that has been classified as a critical risk. Anyone using the browser should make sure they are using the latest version.

In the version announcement, Google remains famously tight-lipped about the details of the vulnerability. It is a "use after free" bug where the program code accesses resources that have already been released and therefore have undefined content. This bug can be found in the WebGL render backend Angle (CVE-2025-9478 / EUVD-2025-25822, no CVSS yet, but"critical" risk according to Google). The CVE entry at least reveals that attackers from the network can abuse a memory error on the heap, for example with carefully prepared HTML web pages – often succeeding in infiltrating and executing malicious code, which can also be assumed here due to the severity.

The developers have patched the vulnerability in Google Chrome versions 139.0.7258.158 for Android, 139.0.7258.154 for Linux and 139.0.7258.154/.155 for macOS and Windows. The update is now available for download.

Version checks

The version dialog reveals whether the current version of the web browser is running. This opens after clicking on the icon with three stacked dots to the right of the address bar. Continue via "Help" – "About Google Chrome".

If updated software is available, this also starts the update process. On Linux, the distribution's own software management is responsible for this. On Android, the update is available in the Google Play Store – but not immediately for all smartphones. The vulnerability affects the Chromium project and should therefore also make software based on it, such as the Microsoft Edge browser, vulnerable. An update for this should also be available shortly, which users should install promptly.

Google last had to seal an already attacked vulnerability in the Chrome web browser in mid-July.

(dmk)