Google and Mozilla on Tuesday announced the release of Chrome 135 and Firefox 137 to the stable channel with patches for nearly two dozen vulnerabilities, including high-severity memory safety bugs.
Chrome 135 was promoted to the stable channel with 14 security fixes, including nine for defects reported by external researchers. The most severe of these is CVE-2025-3066, a high-severity use-after-free flaw in Navigations.
The update resolves four medium-severity issues (three inappropriate implementations in Custom Tabs, Intents, and Extensions, and an insufficient validation of untrusted input in Extensions) and four low-severity bugs (inappropriate implementations in Navigations, Custom Tabs, Autofill, and Downloads).
Google says it paid $18,000 in bug bounty rewards to the reporting researchers, with the highest payout ($10,000) going to Philipp Beer (TU Wien) for the inappropriate implementation issue in Custom Tabs.
However, the reward for the high-severity issue has not been disclosed, and the final amount that Google paid for these vulnerabilities could be much higher.
The latest Chrome iteration is currently rolling out as version 135.0.7049.52 for Linux and as versions 135.0.7049.41/42 for Windows and macOS.
Firefox 137 was released with fixes for eight security defects, including three high-severity flaws: a use-after-free triggered by XSLTProcessor (tracked as CVE-2025-3028), and multiple memory safety bugs that could potentially be exploited for code execution (collectively tracked as CVE-2025-3030 and CVE-2025-3034).
The browser update also resolves medium- and low-severity vulnerabilities that could lead to information disclosure, URL bar spoofing, and the upload of arbitrary files when opening a .url shortcut on Windows.
On Tuesday, Mozilla also announced the release of Firefox ESR 128.9, Firefox ESR 115.22, Thunderbird 137, and Thunderbird ESR 128.9, which contain patches for most of the issues resolved in Firefox.
Neither Google nor Mozilla make mention of any of these vulnerabilities being exploited in the wild. However, users are advised to update their applications as soon as possible.
Related: Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Related: Google Patches Chrome Sandbox Escape Zero-Day Caught by Kaspersky
Related: Chrome 133, Firefox 135 Updates Patch High-Severity Vulnerabilities
