Google Chrome and Chromium Browsers Patched for Multiple Security Vulnerabilities Including WebXR Data Leak
Google has released a security update for its Chrome browser, addressing 13 vulnerabilities, four of which are rated high severity. Among the most notable is a use-after-free flaw in the Digital Credentials feature (CVE-2025-13633), which could allow remote attackers to exploit affected systems. The update brings Chrome to version 143.0.7499.40/.41 for Windows and macOS, and 143.0.7499.40 for Linux, and users are strongly advised to update promptly to mitigate risk, as attackers often exploit such vulnerabilities before widespread patch adoption.
In addition to the Digital Credentials issue, a significant data leak vulnerability was discovered in the WebXR component (CVE-2025-12443), affecting all major Chromium-based browsers, including Chrome, Edge, Brave, and Opera. The flaw, which could expose heap memory and pointer data, required user interaction with a malicious page to be exploited. Google responded rapidly to the responsible disclosure, issuing a fix within 24 hours and updating the stable Chrome release within two weeks. Users of all Chromium-based browsers are urged to update to the latest versions to ensure protection against these and other recently patched vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Google patches high-severity Digital Credentials bug
Among the Chrome 143 fixes, Google addressed CVE-2025-13633, a high-severity use-after-free vulnerability in the Digital Credentials feature affecting Chrome versions prior to 143.0.7499.41. Google withheld detailed technical information until more users had updated.
Google releases Chrome 143 with 13 security fixes
Google released Chrome 143 in early December 2025, fixing 13 security issues including four rated high severity, and urged users to update promptly because of Chrome's massive user base.
Chrome 142 update ships with WebXR vulnerability fix
Within 13 days of the WebXR flaw's disclosure, Google updated Chrome to version 142.0.7444.59 to address CVE-2025-12443 and reduce exposure across billions of Chromium users.
Google fixes WebXR flaw within 24 hours of disclosure
Google responded to disclosure of CVE-2025-12443 by producing a fix within 24 hours, beginning remediation for affected Chromium-based browsers including Chrome and other downstream projects.
AISLE discovers Chromium WebXR flaw
In October 2025, researcher AISLE discovered CVE-2025-12443, a medium-severity vulnerability in Chromium's WebXR component that could leak 64 bytes of adjacent heap memory when a user interacted with a malicious VR or AR session.
WebXR vulnerability introduced into Chromium codebase
The WebXR flaw later tracked as CVE-2025-12443 had reportedly been present in Chromium for about seven months before it was discovered, exposing affected Chromium-based browsers to potential memory leakage during crafted VR or AR sessions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Google Rolls Out Chrome 143 Update for Billions Worldwide
techrepublic.com
Open sourceUpdate Chrome now: Google fixes 13 security issues affecting billions
malwarebytes.com
Open sourceWebXR Flaw Hits 4 Billion Chromium Users, Update Your Browser Now
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome 142 Emergency Update Addresses Multiple High-Risk RCE Vulnerabilities
Google released an emergency update for its Chrome browser, version 142, to patch five security vulnerabilities, including three high-severity flaws that could allow remote code execution (RCE) on Windows, macOS, Linux, and Android platforms. The most critical vulnerability, CVE-2025-12725, is an out-of-bounds write in the WebGPU graphics interface, which could enable attackers to execute arbitrary code by corrupting system memory. Two additional high-severity vulnerabilities, CVE-2025-12726 in the Views component and CVE-2025-12727 in the V8 JavaScript engine, were also addressed, both posing significant risk for memory manipulation and potential code execution. Google has limited the release of technical details to prevent exploitation before users apply the update, but internal assessments rate the vulnerabilities with a CVSS 3.1 score of 8.8, indicating a direct and serious risk. The update is being distributed across all major desktop and mobile platforms, and users are strongly advised to update Chrome promptly to mitigate the risk of exploitation. Two medium-severity issues in the Omnibox were also fixed in this release.
Mar 21, 2026
Google Chrome Patches Actively Exploited V8 Out-of-Bounds Flaw
Google released an urgent Chrome desktop update to fix **74 security issues**, including `CVE-2026-11645`, a high-severity **out-of-bounds memory access** vulnerability in the **V8 JavaScript engine**. Google said an exploit for the flaw exists **in the wild**, making it the most pressing issue in the release. The update affects Chrome on **Windows, macOS, and Linux**, and Google limited technical details for some bugs until more users receive the patch. The release also addresses multiple additional memory-safety flaws, including **use-after-free** bugs in components such as **Ozone**, **Bluetooth**, and **tab strips**. HKCERT separately published an advisory covering multiple Chrome vulnerabilities, reinforcing the breadth of the fixes. Organizations are being urged to update Chrome immediately and ensure browser restarts are completed so the patched version is applied across managed endpoints.
Jun 10, 2026
Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk. Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
Mar 21, 2026