On Tuesday, Google and Mozilla announced the release of Chrome 137 and Firefox 139
which include patches for a combined total of 21 vulnerabilities. Among these, three were rated as high severity.
Chrome 137 addresses 11 security issues, eight of which were reported by external researchers. Two of these are high-severity memory safety flaws: a use-after-free bug in Compositing (CVE-2025-5063) and an out-of-bounds write issue in the V8 JavaScript engine (CVE-2025-5280).
Although Google has not shared detailed technical information about the bugs, memory safety vulnerabilities can often be exploited to execute arbitrary code or cause the application to crash. If paired with other flaws in the system or privileged components, use-after-free issues can potentially allow attackers to escape Chrome's sandbox environment.
The update also fixes five medium-severity vulnerabilities involving the Background Fetch API, FileSystemAccess API, Messages, BFCache, and libvpx. Additionally, a low-severity issue was resolved in the Tab Strip feature.
Google has already awarded $7,500 in bug bounties to researchers but noted that the final payout could be higher, as amounts for the high-severity flaws and two medium-severity bugs are still being calculated.
The new Chrome version is now available as 137.0.7151.55/56 for Windows and macOS and as 137.0.7151.55 for Linux.
Firefox 139 includes patches for 10 security issues. Among them is a high-severity double-free vulnerability in libvpx, which lacks a CVE identifier. This flaw could result in memory corruption and possibly an exploitable crash. The update also addresses six medium-severity bugs that could lead to cross-origin data leaks, local code execution, cross-site leaks, and further memory corruption with the potential for arbitrary code execution.
Mozilla also released Firefox ESR 128.11, which includes fixes for eight of the identified issues, and Firefox ESR 115.24, which patches four of them. Thunderbird 139 received updates for all 10 vulnerabilities, while Thunderbird 128.11 included fixes for eight.
Although neither Google nor Mozilla reported any evidence of these vulnerabilities being exploited in the wild, users are strongly encouraged to update their browsers promptly, as Chrome and Firefox bugs are frequently targeted by malicious actors.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
