“`html
Google has officially elevated Chrome 143 to the Stable channel, releasing version 143.0.7499.40 for Linux and 143.0.7499.40/41 for Windows and Mac.
This crucial upgrade tackles 13 security vulnerabilities, comprising several high-severity flaws that might grant attackers the ability to execute arbitrary code or compromise the browser’s rendering engine.
The most severe vulnerability addressed in this release is CVE-2025-13630, a Type Confusion flaw within the V8 JavaScript engine. Reported by security analyst Shreyas Penkar, this defect garnered a reward of $11,000.
Type confusion vulnerabilities are especially hazardous as they happen when a resource is allocated in one type but is later accessed with a different, incompatible type.
In the context of a browser, a successful exploitation of a V8 type confusion defect frequently permits a remote attacker to execute arbitrary code within the renderer sandbox by misleading the user into visiting a specifically designed website.
Another significant high-severity issue is CVE-2025-13631, a flawed implementation in the Google Updater service. This vulnerability was reported by researcher Jota Domingos and was associated with a $3,000 reward.
While particular details regarding the exploitation vector remain confidential to avert widespread misuse, vulnerabilities in update mechanisms can sometimes be exploited to establish persistence or elevate privileges on a host system.
The update also rectifies CVE-2025-13632, a high-severity issue in DevTools documented by Leandro Teles, and CVE-2025-13633, a “Use After Free” (UAF) memory corruption defect in Digital Credentials discovered internally by Google.
UAF defects continue to be a common category of memory-safety vulnerabilities in Chrome, frequently occurring when the browser attempts to utilize freed memory, resulting in crashes or potential code execution.
Google has limited access to the complete bug details until a significant portion of the user base has upgraded to the patched version. This standard operating procedure mitigates the risk of malicious actors reverse-engineering the patch to create exploits for unpatched browsers.
The subsequent table encapsulates the primary external security contributions resolved in Chrome 143:
| CVE ID | Severity | Vulnerability Type | Component | Reward |
|---|---|---|---|---|
| CVE-2025-13630 | High | Type Confusion | V8 | $11,000 |
| CVE-2025-13631 | High | Inappropriate Implementation | Google Updater | $3,000 |
| CVE-2025-13632 | High | Inappropriate Implementation | DevTools | TBD |
| CVE-2025-13634 | Medium | Inappropriate Implementation | Downloads | TBD |
| CVE-2025-13635 | Low | Inappropriate Implementation | Downloads | $3,000 |
| CVE-2025-13636 | Low | Inappropriate Implementation | Split View | $1,000 |
In addition to external reports, Google’s internal security team uncovered several other concerns, including a medium-severity race condition in V8 (CVE-2025-13721) and a faulty cast in the Loader component (CVE-2025-13720)
The Chrome team utilized automated testing instruments such as AddressSanitizer and libFuzzer to identify these memory anomalies during the development phase.
Users on Windows, Mac, and Linux should anticipate the update to install automatically in the upcoming days. Manual checks can be executed by accessing the Chrome menu, selecting Help, and clicking About Google Chrome to compel the download of version 143.
“`