Chrome 137 and Firefox 139 updates released on Tuesday resolve four high-severity memory bugs, two in each popular browser.
The Chrome update patches a use-after-free issue in Media (tracked as CVE-2025-5958) and a type confusion in the V8 JavaScript engine (CVE-2025-5959), both reported by external researchers.
Use-after-free vulnerabilities can be exploited for code execution, data corruption and denial of service. In Chrome, they can lead to sandbox escape, if combined with security defects in a privileged part of the browser, or in the underlying operating system.
Type confusion issues in Chrome’s V8 engine could lead to information leaks, remote code execution (RCE), and system compromise. Google typically pays $55,000 for V8 flaws leading to RCE, but has yet to determine the amount to be paid for CVE-2025-5959.
However, the internet giant says it handed out $8,000 to the Ant Group Light-Year Security Lab researcher who reported the use-after-free vulnerability.
The latest Chrome iteration is now rolling out as versions 137.0.7151.103/.104 for Windows and macOS, and as version 137.0.7151.103 for Linux.
On Tuesday, Mozilla announced the release of Firefox 139.0.4 with patches for a memory corruption flaw in the canvas surfaces component (tracked as CVE-2025-49709) and an integer overflow bug in OrderedHashTable used by the JavaScript engine (CVE-2025-49710).
Mozilla also pushed fresh updates for Thunderbird to fix a high-severity security defect that could lead to unsolicited file downloads, resulting in users’ disks being filled with garbage data on Linux, or to a credential leak via SMB links on Windows.
“A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user’s desktop or home directory without prompting, even if auto-saving is disabled,” Mozilla explains.
“While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content,” it continues.
Tracked as CVE-2025-5986, the issue was resolved in Thunderbird 139.0.2 and Thunderbird 128.11.1.
Users are advised to update their browsers and mail clients as soon as possible, even if Google and Mozilla make no mention of any of these vulnerabilities being exploited in attacks.
Related: Google Researchers Find New Chrome Zero-Day
Related: Chrome to Distrust Chunghwa Telecom and Netlock Certificates
Related: Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities
