Google and Mozilla on Tuesday announced the rollout of updates for the Chrome and Firefox browsers that address multiple high-severity memory safety vulnerabilities.
Chrome 133 was promoted to the stable channel with 12 security fixes, including three for flaws reported by external researchers.
Two of these bugs, tracked as CVE-2025-0444 and CVE-2025-0445, are use-after-free defects in the open source 2D graphics library Skia and the V8 JavaScript engine. The third issue is a medium-severity inappropriate implementation flaw in the Extensions API component.
Google did not share technical information on any of these vulnerabilities, but said it handed out a $7,000 bug bounty reward for the bug in Skia, and $2,000 for the medium-severity flaw. The reward for the second high-severity issue has yet to be determined.
A type of memory safety bugs, use-after-free vulnerabilities could lead to code execution, data corruption, or denial of service. In Chrome, they can lead to a sandbox escape if combined with a bug in a privileged part of Chrome.
Use-after-free issues impact Firefox as well, and Mozilla released version 135 of the browser with fixes for two such high-severity defects, tracked as CVE-2025-1009 and CVE-2025-1010, and impacting the Custom Highlight API and the Extensible Stylesheet Language Transformations (XSLT) language.
The browser update also fixes CVE-2025-1016 and CVE-2025-1020, two high-severity memory safety bugs that could potentially lead to code execution, and which affect Thunderbird and Firefox ESR as well.
Firefox 135 also resolves seven medium- and low-severity vulnerabilities that could lead to spoofing attacks, code execution, use-after-free, privacy leaks, and improper certificate checks.
Neither Google nor Firefox mention any of these flaws being exploited in attacks, but users are advised to update their browsers as soon as possible.
Chrome is now rolling out as versions 133.0.6943.53/54 for Windows and macOS, and as 133.0.6943.53 for Linux. Firefox 135 was released along with Thunderbird 135, Thunderbird ESR 128.7, Firefox ESR 128.7, and Firefox ESR 115.20.
Related: Vulnerability Patched in Android Possibly Exploited by Forensic Tools
Related: Chrome 131, Firefox 134 Updates Patch High-Severity Vulnerabilities
Related: Web-Tracking ‘Cookies’ Meant to Protect Privacy: Inventor
