Google on Wednesday announced the rollout of a Chrome browser update that resolves four high-severity vulnerabilities that were reported by external researchers.
The first issue is a use-after-free bug in the V8 JavaScript engine, tracked as CVE-2025-0995, which earned the reporting researcher a $55,000 bug bounty reward.
Based on the amount handed out, it is likely that the security defect could be exploited to achieve remote code execution. It is not uncommon for threat actors to target V8 issues in their attacks.
A type of memory corruption bug that could lead to code execution, data corruption, and denial-of-service, use-after-free flaws could be combined with other vulnerabilities to fully compromise a system.
In Chrome, use-after-free bugs could lead to sandbox escape if an attacker can target a flaw in the underlying operating system or in a privileged Chrome component.
For several years, Google has been working on preventing the exploitation of memory safety issues in Chrome, including by migrating parts of the code to Rust, a programming language that is considered memory-safe.
The latest Chrome update resolves two other memory safety bugs, namely a use-after-free in Navigation, tracked as CVE-2025-0997, and an out-of-bounds memory access flaw in V8, tracked as CVE-2025-0998. Additionally, it addresses an inappropriate implementation in Browser UI, tracked as CVE-2025-0996.
Google notes in its advisory that it has yet to determine the bug bounty amounts to be paid for the last three security defects.
The latest Chrome iteration is now rolling out to users as versions 133.0.6943.98/.99 for Windows and macOS, and as version 133.0.6943.98 for Linux. Users are advised to update their browsers as soon as possible.
Related: Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities
Related: Chrome 132 Patches 16 Vulnerabilities
Related: Chrome 131, Firefox 134 Updates Patch High-Severity Vulnerabilities
