Vulnerabilities

Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities

Google and Mozilla released patches for Chrome and FireFox to address a total of 21 vulnerabilities between the two browsers, including three rated high severity.

Google and Mozilla released patches for Chrome and FireFox to address a total of 21 vulnerabilities between the two browsers, including three rated high severity.

Google and Mozilla on Tuesday announced the release of Chrome 137 and Firefox 139, with patches for a total of 21 vulnerabilities between the two browsers, including three rated high severity.

Chrome 137 brings 11 security fixes, eight of which cover security defects reported by external researchers.

Of the eight externally reported bugs, two are high-severity memory safety issues, namely a use-after-free defect in Compositing (CVE-2025-5063) and an out-of-bounds write flaw in the V8 JavaScript engine (CVE-2025-5280).

While Google did not provide technical details on the vulnerabilities, the exploitation of memory safety bugs could allow attackers to execute arbitrary code or crash the application. Combined with flaws in the underlying system or a privileged process, use-after-free issues in Chrome can lead to sandbox escape.

The latest Chrome update also resolves five medium-severity security defects in the Background Fetch API, FileSystemAccess API, Messages, BFCache, and libvpx, and one low-severity flaw in Tab Strip.

Google says it handed out $7,500 in bug bounty rewards to the reporting researchers, but it has yet to determine the amounts to be paid for the high-severity vulnerabilities and two medium-severity bugs, so the final amount could be much higher.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is now rolling out as versions 137.0.7151.55/56 for Windows and macOS and as version 137.0.7151.55 for Linux.

Firefox 139 was released with patches for 10 vulnerabilities, including a high-severity double-free issue in libvpx (with no CVE identifier assigned) that could have led to memory corruption and a potentially exploitable crash.

Additionally, the browser update resolves six medium-severity bugs leading to cross-origin leak attacks, local code execution, cross-site leaks (XS-Leaks), and memory corruption (that could have been exploited for arbitrary code execution).

On Tuesday, Mozilla also delivered Firefox ESR 128.11 with patches for eight of these vulnerabilities, and Firefox ESR 115.24 with fixes for four of them. Thunderbird 139 was rolled out with fixes for all 10 security defects, while Thunderbird 128.11 came out with patches for eight of the flaws.

While Google and Mozilla make no mention of any of these vulnerabilities being exploited in the wild, users are advised to update their browsers as soon as possible, as it is not uncommon for threat actors to target Chrome and Firefox bugs.

Related: Chrome 136 Update Patches Vulnerability With ‘Exploit in the Wild’

Related: Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities

Related: Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities

Related Content

Vulnerabilities

Public exploit code targeting the Firefox flaws exists, but no in-the-wild exploitation has been observed.

Vulnerabilities

The flaws could allow attackers to access and modify data, and cause system unavailability and request-response desynchronization.

Email Security

The flaw results in malicious code embedded in crafted emails being executed when the emails are opened.

Vulnerabilities

Buffer overflow, DoS, command injection, SSRF, authentication bypass, and other types of vulnerabilities have been found in PAN-OS software.

Vulnerabilities

The privilege escalation vulnerability tracked as CVE-2026-50656 has been patched with a Microsoft Malware Protection Engine update.

Vulnerabilities

The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google.

Vulnerabilities

The updates fix vulnerabilities in WebKit, the kernel, WebRTC, Web Extensions, and other components affecting iPhone, iPad, Mac, and Safari users.

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version