Chrome Emergency Update to Patch Multiple Remote Code Execution Vulnerabilities.
Overview:
Google Chrome has released an urgent update addressing five vulnerabilities, including three of high severity that could enable remote code execution (RCE).
The patched versions are:
- Windows: 142.0.7444.134 / 142.0.7444.135
- macOS: 142.0.7444.135
- Linux: 142.0.7444.134
These flaws impact core components like WebGPU, the V8 JavaScript engine, and Views, and allow execution of arbitrary code simply by visiting a malicious web page.
Vulnerability Details:
| CVE ID | Severity | Component | Description / Impact | CVSS v3.1 (Est.) |
| CVE-2025-12725 | High | WebGPU | Out-of-bounds write, memory corruption ? potential RCE via malicious web content.Cyber Security News | 8.8 |
| CVE-2025-12726 | High | Views | Inappropriate UI rendering implementation ? potential RCE through crafted pages.Cyber Security News | 8.1 |
| CVE-2025-12727 | High | V8 | Heap corruption in JavaScript engine ? RCE via specially crafted scripts. Cyber Security News | 8.8 |
| CVE-2025-12728 | Medium | Omnibox | Address-bar spoofing vulnerability ? phishing risk (no direct code execution).Cyber Security News | 6.5 |
| CVE-2025-12729 | Medium | Omnibox | URL manipulation flaw ? deceptive UI/URL spoofing risk. Cyber Security News | 6.1 |
How It Affects
An attacker can create a malicious web page or advertisement that triggers one of the high-severity flaws (WebGPU, V8, Views), leading to remote code execution on the victim’s system without further interaction. Additionally, the medium severity Omnibox flaws can facilitate phishing by spoofing URLs or the browser UI.
Who It Affects
- All users of Google Chrome on Windows, macOS, and Linux platforms.
- Enterprises and organisations using Chrome or Chromium-based browsers.
- Developers or users of web applications leveraging WebGPU, as the WebGPU vector is specifically targeted.
Its Impact
- Remote Code Execution (RCE): Full system compromise possible via exploitation of high severity flaws.
- Data Breach / Credential Theft: Attackers could access sensitive information, cookies, stored passwords.
- Malware Deployment: Could install ransomware, spyware or other malicious payloads.
- Phishing / Social Engineering: Via Omnibox vulnerabilities spoofing interface or URLs to deceive users.
- The combination of these risks elevates this update to critical status.
Targeted Products
- Google Chrome versions prior to:
- 142.0.7444.134/.135 (Windows & Linux)
- 142.0.7444.135 (macOS)
- Chromium-based browsers (pending similar security updates) including:
- Microsoft Edge
- Brave Browser
- Opera Browser
- Vivaldi
Indicators of Compromise (IOCs)
No publicly disclosed IOCs (such as malicious domains, file hashes or payload signatures) are available at this time.
Organisations should monitor for:
- Unexpected browser crashes or unusual rendering behaviour.
- Abnormal GPU or JavaScript activity in browser sessions.
- Outbound connections to unfamiliar domains triggered by browser usage.
Recommendations
- Apply Updates Immediately:
- Navigate to Settings ? Help ? About Google Chrome and update to version 142.0.7444.134/.135 or later.
- Force Enterprise Updates:
- Enforce automatic Chrome updates through Group Policy or MDM tools across corporate environments.
- Monitor for Exploitation Attempts:
- Review browser logs and endpoint telemetry for signs of compromise or script-based anomalies.
- Restrict WebGPU (Temporary):
- In high-security environments, disable WebGPU using:
chrome://flags/#enable-webgpu ? Set to Disabled.
- In high-security environments, disable WebGPU using:
- Educate Users:
- Advise staff and users to be cautious of unexpected pop-ups or unfamiliar websites.
- Patch Chromium-based Browsers:
- Ensure downstream browsers (Edge, Brave, Opera, etc.) are updated once corresponding security releases are available.
Reference Link: https://cybersecuritynews.com/chrome-emergency-update/