SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 137 Update Patches High-Severity Vulnerabilities

Google has released a Chrome 137 update to resolve two memory bugs in the browser’s V8 and Profiler components.
Chrome vulnerability patches

Google on Tuesday announced patches for three vulnerabilities in Chrome 137, including two high-severity issues reported by external researchers.

The first of the externally reported bugs is CVE-2025-6191, described as an integer overflow defect in the V8 JavaScript engine. Google says it handed out a $7,000 reward to the reporting researcher.

The second flaw, tracked as CVE-2025-6192, is a use-after-free vulnerability in Chrome’s Profiler component that earned the reporting researcher a $4,000 reward.

The security defects were addressed in Chrome versions 137.0.7151.119/.120 for Windows and macOS, and in version 137.0.7151.119 for Linux.

Memory bugs in Chrome are attractive targets for attackers, as they can potentially lead to remote code execution, and users are advised to update their browsers as soon as possible, although Google makes no mention of any of these issues being exploited.

However, threat actors have been observed targeting recent Chrome vulnerabilities in the wild, some of which were exploited as zero-days, before being caught by security researchers.

One example is CVE-2025-2783, a high-severity sandbox escape flaw flagged by Kaspersky as being exploited in one-click attacks in a cyberespionage campaign targeting various Russian organizations. Firefox was found vulnerable to a similar defect.

While Kaspersky did not attribute the observed zero-day attacks to a specific threat actor, Positive Technologies this week reported that a group tracked as Team46 was behind them.

Advertisement. Scroll to continue reading.

The zero-day exploitation, the company says, led to the deployment of Trinper, a backdoor associated with the TaxOff hacking group, suggesting that Team46 and TaxOff represent a cluster of activity that can be attributed to a single adversary.

“This group leverages zero-day exploits, which enables it to penetrate secure infrastructures more effectively. The group also creates and uses sophisticated malware, implying that it has a long-term strategy and intends to maintain persistence on the compromised systems for an extended period,” Positive Technologies notes.

Related: Chrome, Firefox Updates Resolve High-Severity Memory Bugs

Related: Google Researchers Find New Chrome Zero-Day

Related: Chrome to Distrust Chunghwa Telecom and Netlock Certificates

Related: Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Rethinking Endpoint Hardening for Today’s Attack Landscape
On Demand

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Virtual Event: Cloud & Data Security Summit
July 16, 2025

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.