Google patches multiple Chrome V8 flaws enabling web-based remote code execution
Google released Chrome fixes for multiple high-severity vulnerabilities in the V8 JavaScript engine, including CVE-2025-10891, CVE-2025-10892, and CVE-2025-9864, that could be triggered when a user visits a malicious web page. The flaws include integer overflows and a use-after-free condition that can cause heap corruption in the browser renderer and potentially lead to arbitrary code execution. A related bulletin also lists CVE-2025-10890, a V8 side-channel information disclosure issue, alongside the two integer overflow bugs, warning that successful exploitation could expose sensitive data or enable full system compromise.
Google said the affected Chrome builds were patched across Windows, macOS, and Linux in the 140.0.7339 release line, with fixes landing in versions including 140.0.7339.80/.81 and later 140.0.7339.207/.208 depending on the flaw and platform. Several of the vulnerabilities were reportedly identified by Google’s AI-based Big Sleep system, and no public proof-of-concept exploits were cited in the referenced reports. Organizations using Chrome or Chromium-based browsers were urged to deploy the vendor updates promptly because the bugs are reachable through routine web browsing and may also affect downstream browsers that have not yet incorporated the upstream patches.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Security bulletin documents three Chrome V8 vulnerabilities
A bulletin described three Google Chrome V8 vulnerabilities: CVE-2025-10890, CVE-2025-10891, and CVE-2025-10892. It states CVE-2025-10890 enables information disclosure and the other two integer overflow flaws can allow remote code execution, and recommends applying the vendor update.
Google patches Chrome V8 flaws CVE-2025-10891 and CVE-2025-10892
Google fixed high-severity integer overflow vulnerabilities CVE-2025-10891 and CVE-2025-10892 in Chrome's V8 JavaScript engine in version 140.0.7339.207/.208. The flaws could allow heap corruption and potentially arbitrary code execution when a victim visits a malicious web page, and the content says they were discovered by Google's Big Sleep system.
Chrome 140.0.7339.185/.186 patches ANGLE flaw CVE-2025-10502
Google patched CVE-2025-10502, a heap buffer overflow in Chrome's ANGLE graphics engine, by adding stricter bounds checking. The flaw affected Chrome on Windows, macOS, and Linux before versions 140.0.7339.185 or 140.0.7339.186 depending on platform.
Google issues September 2025 Android patch for CVE-2025-32320
Google's September 2025 Android Security Bulletin addressed CVE-2025-32320, a local privilege escalation flaw in Android 16 System UI that could let attackers access images belonging to other users on a shared device. The content states affected devices are those prior to security patch level 2025-09-05.
Chrome 140.0.7339.80/.81 fixes V8 use-after-free CVE-2025-9864
Google made fixes available for CVE-2025-9864, a high-severity use-after-free vulnerability in Chrome's V8 engine that could be triggered via a malicious web page. The patched versions are Chrome 140.0.7339.80 for Linux and 140.0.7339.80/.81 for Windows and Mac.
Google patches Android Skia flaw CVE-2025-32318 in Android 16
Google addressed CVE-2025-32318, a critical heap-based buffer overflow in the Skia graphics engine, through Android 16 System component patches integrated into AOSP. The content says users should update to security patch level 2025-07-01 or later.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
SB20250923100 - Multiple vulnerabilities in Google Chrome
cybersecurity-help.cz
Open sourceChrome V8 Integer Overflow (CVE-2025-10891): Brief Summary and Patch Details - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceGoogle Chrome V8 Integer Overflow (CVE-2025-10892): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceGoogle Chrome ANGLE Heap Buffer Overflow (CVE-2025-10502): Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceAndroid System UI CVE-2025-32320: Brief Summary of a Confused Deputy Privilege Escalation Vulnerability - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceAndroid Skia Heap Buffer Overflow (CVE-2025-32318): Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceGoogle Chrome V8 Use-After-Free (CVE-2025-9864): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Patches Actively Exploited V8 Out-of-Bounds Flaw
Google released an urgent Chrome desktop update to fix **74 security issues**, including `CVE-2026-11645`, a high-severity **out-of-bounds memory access** vulnerability in the **V8 JavaScript engine**. Google said an exploit for the flaw exists **in the wild**, making it the most pressing issue in the release. The update affects Chrome on **Windows, macOS, and Linux**, and Google limited technical details for some bugs until more users receive the patch. The release also addresses multiple additional memory-safety flaws, including **use-after-free** bugs in components such as **Ozone**, **Bluetooth**, and **tab strips**. HKCERT separately published an advisory covering multiple Chrome vulnerabilities, reinforcing the breadth of the fixes. Organizations are being urged to update Chrome immediately and ensure browser restarts are completed so the patched version is applied across managed endpoints.
Jun 10, 2026
Google patches 31 Chrome 147 flaws including critical RCE and sandbox escapes
Google released Chrome `147.0.7727.101/.102` for desktop and `147.0.7727.101` for Android to fix a broad set of browser vulnerabilities, with the desktop advisory covering **31 security issues** and multiple **Critical** and **High** severity bugs. The patched set includes remote code execution and memory-corruption flaws such as `CVE-2026-6299` in Prerender, `CVE-2026-6297` in Proxy, `CVE-2026-6300` in Blink CSS, `CVE-2026-6307` and `CVE-2026-6363` in V8, `CVE-2026-6361` in PDFium, and several use-after-free bugs in Video, Forms, FileSystem, Cast, Permissions, and XR components. Google said Android inherits the same security fixes as the corresponding desktop release unless otherwise noted, and affected versions span Chrome builds prior to `147.0.7727.101` on Linux and Android and prior to `147.0.7727.101/.102` on Windows and macOS. Several of the flaws could be used in exploit chains to cross Chrome security boundaries, including sandbox escape paths in GPU, Viz, Dawn WebGPU, Accessibility, Graphite, and Proxy components through `CVE-2026-6314`, `CVE-2026-6309`, `CVE-2026-6310`, `CVE-2026-6311`, `CVE-2026-6304`, and `CVE-2026-6297`. Public technical details for many Chromium issues remain restricted while patches propagate, and no confirmed in-the-wild exploitation was cited for these specific April fixes, though multiple reports note Chrome’s recent zero-day activity and the likelihood of rapid weaponization of memory-safety bugs. The Canadian Centre for Cyber Security urged organizations to review Google’s advisory and apply updates promptly, while downstream Chromium-based browsers may remain exposed until they ship their own patched releases.
Jun 12, 2026
Google Chrome Patches 34 Flaws Including Multiple RCE Bugs
Google has released two Chrome Stable channel security updates that together patch **34 vulnerabilities**, including multiple flaws that could allow **remote code execution** if users are lured to malicious webpages. The first update fixed **26 issues**—including **three critical**, **22 high-severity**, and **one medium-severity** bugs—in components such as **WebGL**, **WebRTC**, **V8**, **Blink**, **Network**, **WebAudio**, **Dawn**, **PDFium**, **ANGLE**, and **Extensions**. Google said the most serious weaknesses involved memory corruption, including use-after-free, heap and stack buffer overflows, out-of-bounds access, integer overflows, type confusion, and insufficient validation of untrusted input. A follow-up update addressed **eight additional high-severity vulnerabilities** affecting **WebAudio**, **CSS**, **WebGL**, **Dawn**, **WebGPU**, **Fonts**, and **FedCM**, again dominated by memory-safety bugs that could lead to browser compromise. Google shipped versions `146.0.7680.153` and `146.0.7680.154` for Windows and macOS and `146.0.7680.153` for Linux in the first release, followed by `146.0.7680.164` and `146.0.7680.165` for Windows and macOS and `146.0.7680.164` for Linux in the second. The company said many flaws were found through **AddressSanitizer**, **MemorySanitizer**, and **libFuzzer**, paid a **$7,000** bounty for one WebAudio bug, and is withholding technical details until more users have updated to reduce the risk of exploit development.
Mar 24, 2026