Google Chrome 139 has been officially released with a primary focus on addressing multiple security vulnerabilities. The update brings at least 12 security fixes, including a critical bug (CVE-2025-9132) in the V8 JavaScript engine, classified as an “out of bounds write” issue. This flaw was discovered by Google’s Big Sleep team and could allow attackers to execute arbitrary code if exploited.
Here are some key highlights from the Chrome 139 release:
- Critical Security Fixes: 12 security vulnerabilities have been patched. The standout fix is for CVE-2025-9132, a high-severity vulnerability in the V8 engine capable of granting attackers the ability to execute malicious code on affected systems. Several other CVEs, mainly of medium severity, were also addressed, including issues in Extensions and Picture-in-Picture functionality.
- No Zero-Day Exploits Reported: There is no evidence that any of the patched vulnerabilities have been exploited in the wild prior to this release.
- Update Urgency: Due to the critical nature of at least one of the vulnerabilities and the total of 12 security fixes, users and organizations are advised to update Chrome immediately. This can be done via Help > About Google Chrome, which checks for updates and applies the patch after a restart.
- Additional Changes: Beyond security, this release enforces Manifest V3 for extensions (deprecating Manifest V2) and introduces various performance and stability improvements.
Details of security bug fixes in Chrome 139
Here are the detailed security bug fixes included in Chrome 139:
This update contains 12 security fixes highlighted by Google, including those contributed by external researchers:
- CVE-2025-8576 (Medium severity): Use after free vulnerability in Extensions, reported by asnine.
- CVE-2025-8577 (Medium severity): Inappropriate implementation in Picture In Picture feature, reported by Umar Farooq.
- CVE-2025-8578 (Medium severity): Use after free vulnerability in Cast, reported by Fayez.
- CVE-2025-8579 (Low severity): Inappropriate implementation in Gemini Live in Chrome, reported by Alesandro Ortiz.
- CVE-2025-8580 (Low severity): Inappropriate implementation in Filesystems, reported by Huuuuu.
- CVE-2025-8581 (Low severity): Inappropriate implementation in Extensions, reported by Vincent Dragnea.
- CVE-2025-8582 (Low severity): Insufficient validation of untrusted input in DOM, reported anonymously (originally from 2017).
- CVE-2025-8583 (Low severity): Inappropriate implementation in Permissions, reported by Shaheen Fazim.
In addition to these externally reported bugs, many other vulnerabilities were fixed internally through audits, fuzzing, and security initiatives using tools such as AddressSanitizer and MemorySanitizer.
These fixes reflect Google’s continuous effort to shield users from security risks through proactive bug detection and repair.
In summary, Chrome 139 is a critical security release mainly driven by a major bug in the V8 JavaScript engine—prompting an urgent call to update for all users and organizations to protect against potential exploits.
