SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities

Chrome 136 and Firefox 138 were released in the stable channel with patches for multiple high-severity vulnerabilities.
Chrome and Firefox vulnerabilities

Google and Mozilla on Tuesday announced the promotion of Chrome 136 and Firefox 138 to their stable channels with patches for over a dozen vulnerabilities, including multiple high-severity bugs.

Chrome 136 was rolled out with eight security fixes, four of which address flaws reported by external researchers.

The most severe of the externally reported security defects is CVE-2025-4096, a high-severity heap buffer overflow issue in HTML that earned the reporting researcher a $5,000 bug bounty reward.

The remaining three vulnerabilities reported by external researchers include medium-severity out-of-bounds memory access and insufficient data validation issues in DevTools, and a low-severity inappropriate implementation in DevTools.

Google says it paid out $2,000 rewards for the medium-severity bugs and a $1,000 bug bounty for the low-severity one.

The latest Chrome iteration is rolling out as versions 136.0.7103.48/49 for Windows and macOS, and as version 136.0.7103.59 for Linux.

On Tuesday, Mozilla released Firefox 138 with patches for 11 vulnerabilities, including four high-severity bugs that could lead to privilege escalation, sandbox escape, and potentially arbitrary code execution.

The browser update also fixes six medium-severity flaws potentially leading to information disclosure, obscured file extension during download, memory corruption, cross-site request forgery (CSRF) attacks, and code execution. A low-severity issue impacting Firefox for Android was also resolved.

Advertisement. Scroll to continue reading.

Fixes for these vulnerabilities were also included in Thunderbird 138, and Firefox ESR and Thunderbird ESR were updated as well to resolve some of these flaws. Additional information can be found on Mozilla’s security advisories page.

Neither Google nor Firefox mention any of these security defects being exploited in the wild, but users are advised to update their browsers as soon as possible.

Related: Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities

Related: Chrome 135, Firefox 137 Patch High-Severity Vulnerabilities

Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia

Related: Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Cut Through the Noise: Why Context is a Secret Weapon in ASPM
May 29, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cloud and cybersecurity MSP Ekco has appointed Ben Savage as UK CEO.

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.