Chrome use-after-free Vulnerability Let Attackers Execute Code Remotely
Google has rolled out an urgent security update for Chrome, addressing four high-severity vulnerabilities that could allow attackers to execute malicious code or compromise user data.
The update, Chrome version 133.0.6943.98/.99 for Windows/Mac and 133.0.6943.98 for Linux, targets critical flaws in core browser components, including the V8 JavaScript engine and navigation systems.
Key Vulnerabilities Patched
The update resolves four critical security issues reported by external researchers:
- CVE-2025-0995: A use-after-free flaw in Chrome’s V8 JavaScript engine, allowing remote attackers to exploit heap corruption via crafted HTML pages. Google awarded a $55,000 bounty for this discovery.
- CVE-2025-0996: An inappropriate implementation in the Browser UI, enabling spoofing attacks to deceive users.
- CVE-2025-0997: A use-after-free vulnerability in the Navigation component, risking arbitrary code execution.
- CVE-2025-0998: Out-of-bounds memory access in V8, which could lead to data leaks or system crashes.
These vulnerabilities, rated 9.8/10 on the CVSS scale, pose severe risks, including remote code execution and denial-of-service attacks.
- Use-after-free flaws, a type of memory corruption bug, can let attackers manipulate freed memory to execute arbitrary code or crash browsers.
- Out-of-bounds memory access in V8 could leak sensitive data or corrupt system processes.
- Browser UI spoofing (CVE-2025-0996) might trick users into interacting with malicious elements disguised as legitimate interfaces.
While Chrome updates automatically, users should manually trigger the process:
- Open Chrome and click the three-dot menu > Help > About Google Chrome.
- Allow the browser to download updates and restart.
Enterprise administrators are advised to deploy patches immediately, as exploits targeting these vulnerabilities could bypass security sandboxes and compromise organizational networks.
This update follows a series of high-severity fixes in recent months, including patches for V8 type confusion (CVE-2025-0291) and Skia heap corruption (CVE-2025-0444).
Google’s continued reliance on bug bounty programs underscores the growing sophistication of browser-targeted attacks.
Security experts emphasize that delaying updates increases exposure to attacks leveraging these flaws, particularly through phishing campaigns or malicious websites. Users are urged to apply the latest patches and remain vigilant against suspicious web content.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
The post Chrome use-after-free Vulnerability Let Attackers Execute Code Remotely appeared first on Cyber Security News.