On September 2, 2025, Google officially released Chrome 140 to its stable channel across desktop and mobile platforms including Windows, macOS, Linux, Android, and iOS. This update focuses on improving browser performance, adding forward-looking web technologies, and importantly, patching a range of security vulnerabilities to keep users safe.
Security Fixes and CVE Details
Chrome 140 includes 6 important security fixes addressing vulnerabilities discovered both internally and by external security researchers. To foster strong security, Google rewards researchers who responsibly report vulnerabilities with bug bounties. Here’s a detailed look at the notable CVEs fixed in this release:
- CVE-2025-9865 (Medium Severity)
Reported by Khalil Zhani, this vulnerability involved an inappropriate implementation within the Toolbar component. Google awarded a $5000 bounty for the responsible disclosure. Improper toolbar handling could potentially be exploited to cause unexpected behavior or security risks. - CVE-2025-9866 (Medium Severity)
Discovered by NDevTK, this flaw stemmed from an inappropriate implementation in Chrome Extensions, earning a $4000 bounty. Since extensions have deep integration within the browser, such a vulnerability could lead to privilege escalation or manipulation by malicious extensions. - CVE-2025-9867 (Medium Severity)
Reported by Farras Givari, this flaw involved improper handling in the Downloads component and was rewarded with a $1000 bounty. Vulnerabilities in downloads can lead to corruption, privilege issues, or exploitation through malicious file interactions.
Beyond these externally reported issues, Google’s internal teams also patched other security bugs identified through continuous audits and automated tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and fuzzing techniques. These internal efforts ensure that Chromium remains resilient against emerging threats.
Addressing Remote Code Execution Risks
Among the fixed vulnerabilities is a critical use-after-free issue in the V8 JavaScript engine (CVE-2025-9864), which could allow remote code execution. This type of bug is particularly dangerous as it enables attackers to execute arbitrary code in the browser context, potentially compromising user data or system control.
Other Notable Improvements
- Introduction of CSS typed arithmetic and new CSS properties to improve design and animation capabilities for developers.
- Updates to web APIs including the addition of the Controlled Frame API for Isolated Web Apps and the Get Installed Related Apps API on desktop.
- Enhancements in browser security UX such as improved warnings for HTTPS-related security events.
- Fixes aligning shared worker and service worker behaviors with specifications.
What Should Users Do?
All Chrome users are strongly encouraged to update to the latest version 140.0.7339.81 (or corresponding platform-specific builds). This update will be rolled out gradually over the coming days and weeks, but manual update checks are recommended for those wanting to secure their browsers sooner.
By keeping Chrome updated, users benefit not only from the latest features but also crucial security protections crafted by a global community of researchers and Google’s dedicated security teams. Chrome 140 continues this tradition of prioritizing safety, speed, and cutting-edge web technologies.
For more details on security fixes and ongoing Chrome development, visit the official Chrome Releases and Security Pages.
