Analysis Summary

Google has rolled out an urgent security update for its Chrome browser to patch three high-severity vulnerabilities that pose risks of data exposure and system instability. The update brings Chrome to version 140.0.7339.207/.208 on Windows and Mac, and 140.0.7339.207 on Linux. While the fix will be delivered automatically over the coming days, users are strongly urged to manually update immediately to ensure protection. All three vulnerabilities affect the V8 JavaScript and WebAssembly engine, a critical component responsible for executing code within Chrome.

The first flaw, tracked as CVE-2025-10890, is a side-channel information leakage vulnerability reported by security researcher. It could enable attackers to bypass isolation mechanisms and read sensitive data directly from the browser’s memory if a victim visits a maliciously crafted webpage. The other two vulnerabilities, CVE-2025-10891 and CVE-2025-10892, were discovered by Google’s internal Big Sleep research team and stem from integer overflows in the V8 engine. Such bugs occur when numerical values exceed memory limits, leading to crashes or, in some cases, remote code execution.

Exploiting these flaws typically requires an attacker to lure a victim into accessing a malicious website. In practice, CVE-2025-10890 could be used to leak confidential information from other browser sessions or processes, while the integer overflow vulnerabilities could cause abrupt browser crashes or potentially be chained with other exploits to escalate privileges. Although Google has not confirmed active exploitation, it is restricting access to technical details and proof-of-concept exploits until the majority of users have installed the update, in line with its standard security policy.

Google emphasized the importance of updating Chrome promptly to mitigate these threats and outlined the update process under the “Help” > “About Google Chrome” menu. The company also credited external and internal researchers for uncovering these flaws and noted the use of advanced testing tools such as AddressSanitizer, MemorySanitizer, and fuzzing frameworks in its ongoing security efforts. This collaborative and proactive approach underscores Google’s strategy to identify and address vulnerabilities before they can be weaponized at scale.

Impact

• Sensitive Data Theft
• Security Bypass
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-10890

• CVE-2025-10891

• CVE-2025-10892

Affected Vendors

Remediation

• Update Chrome immediately to the latest version (140.0.7339.207/.208 for Windows and Mac, 140.0.7339.207 for Linux).
• Manually trigger the update.
• Enable automatic updates to ensure future patches are applied without delay.
• Avoid visiting suspicious or untrusted websites until the update is applied, as exploitation requires luring users to malicious pages.
• Restart the browser after updating to activate the security fixes.
• Monitor Google’s security advisory page for additional details once technical restrictions are lifted.
• Encourage enterprise environments to push the update via centralized patch management to cover all endpoints quickly.