Google has rolled out the Chrome 136 update, addressing a range of vulnerabilities across various components of the browser to enhance user security and privacy. Below are the key issues resolved:
1. Heap Buffer Overflow in the HTML Rendering Engine (CVE-2025-4096)
This is categorized as a high-severity vulnerability. The flaw arises from improper memory management when rendering certain types of HTML content. A heap buffer overflow occurs when data exceeds its allocated space in memory, potentially enabling attackers to execute arbitrary code. Exploiting this vulnerability could allow malicious actors to gain control of the browser or compromise the user’s system. The Chrome development team has patched this issue by revising the memory allocation procedures for HTML content rendering.
2. Memory Access Issues in DevTools (CVE-2025-4050 & CVE-2025-4051)
Two medium-severity vulnerabilities were identified in the Chrome Developer Tools (DevTools), often used by web developers for debugging and optimization.
- CVE-2025-4050 pertains to out-of-bounds memory access, where the tool attempts to read or write data outside the boundaries of allocated memory. This can result in unpredictable behavior or crashes.
- CVE-2025-4051 involves insufficient validation of input data, which could lead to security risks if manipulated by a malicious entity. Both issues have been mitigated through enhanced input validation and bounds checking.
3. Inappropriate Implementation in DevTools (CVE-2025-4052)
A low-severity vulnerability was linked to DevTools, where certain features were implemented in a manner that could inadvertently expose sensitive user information under specific conditions. While the risk was minimal, Google has adjusted the implementation to align with best practices for data protection.
4. Privacy Flaw with CSS :visited Selector
This update also resolves a longstanding privacy concern associated with the CSS :visited pseudo-class. The issue allowed websites to track users’ browsing history by checking which links had been visited. Although this vulnerability was not directly exploitable for system compromise, it posed significant privacy risks. Google has introduced stricter restrictions on how the :visited selector operates, ensuring websites cannot infer the user’s browsing patterns.
Importance of Updating
Google strongly recommends users update to Chrome 136 as soon as possible to safeguard their systems against these vulnerabilities. Users can do this by navigating to the browser settings and checking for updates under “About Chrome.” Keeping browsers updated is a critical aspect of maintaining cybersecurity, as it protects users from newly discovered threats.
Pingback: Chrome 136 Released with bug fixes - DevStackTips