Google announced on September 9th a security update for Chrome that fixes two relevant vulnerabilities: one classified as critical and the other as high severity. The company recommends installing the patch as soon as possible to minimize the risk of exploitation, especially on everyday devices.
Both bugs were reported through Google's rewards program in August and now have official identifiers. CVE-2025-10200 (criticism) and CVE-2025-10201 (high). Although the impact varies, both open the door to attack scenarios that should be addressed with a immediate update.
Urgent update in Chrome
The critical failure, recorded as CVE-2025-10200, is a use-after-free error in the ServiceWorker component. In simple terms, the browser attempts to use memory already freed, something that can trigger data corruption or allow the arbitrary code execution if combined with other techniques.
An attacker could craft a malicious site so that, when visited with Chrome, code would execute on the victim's system. This vector, based on specially designed web content, makes the vulnerability a patching priority for users and organizations.
Second failure: high severity in Mojo
The second vulnerability, CVE-2025-10201, is described as an inappropriate implementation in Mojo, the set of libraries that Chromium uses for inter-process communication. The main risk is that an attacker could weaken or compromise the sandbox of the browser, a key component that isolates processes to limit the scope of an exploit.
Although not all practical effects have been publicly detailed, these types of flaws in Mojo can facilitate more complex attack chains. Therefore, the recommendation is to apply the patch without delay and check the installed version on all teams.
Fixed versions and how to update
Google has released versions that fix both bugs for Windows, macOS, and Linux. If your browser hasn't updated automatically, you should update it. review and update manually:
- Windows: 140.0.7339.127 / .128
- macOS: 140.0.7339.132 / .133
- Linux: 140.0.7339.127
Steps to force update in Chrome (desktop): Menu > Help > Google Chrome InformationThe browser will check for the latest available build and, if available, begin downloading.
- Open the three-dot menu at the top right.
- Go to Help.
- Select About Google Chrome.
- Wait for the download and press Restart if requested.
The process usually takes just a few secondsAfter rebooting, verify that the version number matches the fixed builds to ensure the patch has been applied correctly.
Other Chromium-based browsers
As the faults reside in components of Chromium, browsers like Microsoft Edge, Brave, Opera or Vivaldi can also be affected. It is usual for their developers to release patches in 24-48 hours since Google's post, but it's a good idea to check it manually.
If you use one of these browsers, go to its settings menu and force it to check for updates. Keeping them up to date significantly reduces the attack surface and prevents unnecessary security issues.
Rewards and chronology of the discovery
The critical failure report came from Looben Yang On August 22, with a reward assigned by Google of $43.000. The high severity vulnerability was reported by Sahan Fernando along with an anonymous researcher, with a reward of $30.000.
Google's public statement was published on September 9 and details that the fixes are now available. The official way to obtain them is always through the Chrome updater itself or the google website; avoid third-party sources.
quick questions
Does it affect the mobile version of Chrome?
According to the information provided, the scope of these corrections focuses on Windows, macOS and Linux desktop. No impact on mobile devices has been indicated.
What risk do I run if I don't update?
You could expose yourself to code execution or breaking the isolation of the browser, in addition to performance degradation and compromised privacy.
Do I also have to update the extensions?
They are not related to these two CVEs, but it is recommended to keep them always updated to prevent additional attack vectors.
The key now is simple: keep Chrome and Chromium-based browsers on the fixed versions, verify the installed build, and use only official sourcesWith the patch applied, the risk associated with CVE-2025-10200 and CVE-2025-10201 is mitigated on Windows, macOS, and Linux systems.
