Google has released an urgent security update for its Chrome browser after identifying a high-severity use-after-free vulnerability that could allow attackers to execute arbitrary code on users’ devices. This flaw, if exploited, could let hackers take full control of a system simply through a malicious website visit, making it critical for users to update immediately.
Patch Details and Versions
The security fix is part of Chrome version 141.0.7390.107 for Linux and 141.0.7390.107/.108 for Windows and macOS, which began rolling out to the Stable channel earlier this week. According to Google’s release notes, the update will continue reaching users automatically over the next several days or weeks.
Google encourages users to manually check for updates to ensure they receive the latest security patch promptly. You can do this by navigating to Settings → Help → About Google Chrome, where the browser will automatically verify and install the latest version.
About the Vulnerability (CVE-2025-11756)
The flaw, identified as CVE-2025-11756, exists within Chrome’s Safe Browsing component. This feature is responsible for protecting users from harmful websites, phishing links, and other online threats. However, a memory handling issue within this module made it possible for attackers to exploit the browser under specific conditions.
The vulnerability was reported by independent researcher “as nine” on September 25, 2025, earning a $7,000 bounty under Google’s Vulnerability Reward Program (VRP).
How Use-After-Free Bugs Work
Use-after-free vulnerabilities occur when an application continues to use memory that has already been released. This improper memory management can lead to crashes, data corruption, or, in severe cases, allow attackers to run malicious code on a target system.
In this scenario, a crafted webpage could exploit the flaw to bypass Chrome’s sandbox protections, enabling remote code execution. Essentially, the attacker could inject and execute commands as if they had local access to the machine, compromising the integrity of the entire browser session.
Severity and Exploitation Risk
Google has classified this bug as high severity, emphasizing that it could be exploited remotely without any additional user interaction beyond visiting a compromised webpage. So far, there is no evidence of the vulnerability being actively exploited in the wild, but given Chrome’s popularity, the risk of weaponization remains high.
To prevent widespread abuse, Google has restricted technical details of the vulnerability until most users receive the patch. This is a standard practice that aligns with the company’s proactive security model, ensuring attackers cannot take advantage of unpatched systems.
Detection and Prevention Tools
The fix was aided by Google’s advanced memory error detection tools, including AddressSanitizer, MemorySanitizer, and libFuzzer. These internal mechanisms help engineers identify and resolve memory-related issues early in Chrome’s development process, preventing them from reaching stable releases.
Google also credited several external security researchers who contributed to finding and reporting additional bugs during this update cycle, ensuring broader protection across platforms.
Recommendations for Users
All users are strongly advised to update Chrome immediately through the browser’s settings or wait for the automatic update to apply. Timely patching remains one of the most effective defenses against modern cyberattacks, especially for browsers that handle sensitive information like passwords, banking data, and authentication tokens.
This incident highlights how critical it is to maintain updated browsers and to stay aware of security advisories. Regular updates not only patch known vulnerabilities but also improve the browser’s overall resilience against evolving cyber threats.
