Google and Mozilla on Tuesday announced the release of Chrome 137 and Firefox 139, with patches for a total of 21 vulnerabilities between the two browsers, including three rated high severity.
Chrome 137 brings 11 security fixes, eight of which cover security defects reported by external researchers.
Of the eight externally reported bugs, two are high-severity memory safety issues, namely a use-after-free defect in Compositing (CVE-2025-5063) and an out-of-bounds write flaw in the V8 JavaScript engine (CVE-2025-5280).
While Google did not provide technical details on the vulnerabilities, the exploitation of memory safety bugs could allow attackers to execute arbitrary code or crash the application. Combined with flaws in the underlying system or a privileged process, use-after-free issues in Chrome can lead to sandbox escape.
The latest Chrome update also resolves five medium-severity security defects in the Background Fetch API, FileSystemAccess API, Messages, BFCache, and libvpx, and one low-severity flaw in Tab Strip.
Google says it handed out $7,500 in bug bounty rewards to the reporting researchers, but it has yet to determine the amounts to be paid for the high-severity vulnerabilities and two medium-severity bugs, so the final amount could be much higher.
The latest Chrome iteration is now rolling out as versions 137.0.7151.55/56 for Windows and macOS and as version 137.0.7151.55 for Linux.
Firefox 139 was released with patches for 10 vulnerabilities, including a high-severity double-free issue in libvpx (with no CVE identifier assigned) that could have led to memory corruption and a potentially exploitable crash.
Additionally, the browser update resolves six medium-severity bugs leading to cross-origin leak attacks, local code execution, cross-site leaks (XS-Leaks), and memory corruption (that could have been exploited for arbitrary code execution).
On Tuesday, Mozilla also delivered Firefox ESR 128.11 with patches for eight of these vulnerabilities, and Firefox ESR 115.24 with fixes for four of them. Thunderbird 139 was rolled out with fixes for all 10 security defects, while Thunderbird 128.11 came out with patches for eight of the flaws.
While Google and Mozilla make no mention of any of these vulnerabilities being exploited in the wild, users are advised to update their browsers as soon as possible, as it is not uncommon for threat actors to target Chrome and Firefox bugs.
Related: Chrome 136 Update Patches Vulnerability With ‘Exploit in the Wild’
Related: Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities
Related: Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities
