Google Chrome 142 stable channel was officially released on October 28, 2025, for Windows, Mac, Linux, Android, and ChromeOS platforms. The update includes 20 security fixes, addressing multiple vulnerabilities ranging from high to low severity. Among the critical fixes are several high-severity vulnerabilities in the V8 JavaScript engine, which powers Chrome’s web rendering, including type confusion and race condition issues that could potentially lead to remote code execution. The update also resolves bugs related to use-after-free, out-of-bounds read, policy bypasses in Extensions, and security UI issues that could mislead users about site authenticity.
Here are the details of the key CVEs fixed in Google Chrome 142 release:
- CVE-2025-12428: Type Confusion in V8 JavaScript engine, allowing potential remote code execution. Reported by Man Yue Mo with a $50,000 bounty.
- CVE-2025-12429: Inappropriate Implementation in V8, also enabling remote code execution. Reported by Aorui Zhang with a $50,000 bounty.
- CVE-2025-12432: Race Condition in V8, leading to memory corruption risks.
- CVE-2025-12433: Inappropriate Implementation in V8 by internal Google security team Big Sleep.
- CVE-2025-12036: Inappropriate Implementation in V8, reported by Google Big Sleep team.
- CVE-2025-12434: Race Condition in Storage component.
- CVE-2025-12435: Incorrect Security UI in Omnibox, which could mislead users about website authenticity.
- CVE-2025-12436: Policy Bypass in Extensions, enabling potential malicious extension behavior.
- CVE-2025-12437: Use-After-Free in PageInfo component.
- Several additional use-after-free, out-of-bounds read, and memory corruption issues in the V8 engine and other browser components.
In total, the Chrome 142 update addresses 20 security flaws, most being high severity, with many involving the V8 JavaScript engine. These CVEs highlight critical risks such as remote code execution and sandbox escapes if left unpatched. Google rewarded researchers over $120,000 in bug bounties for responsibly disclosing these vulnerabilities.
Google has restricted detailed bug reports temporarily to prevent exploitation until most users receive the patch. The update is being rolled out automatically across platforms in the following versions: 142.0.7444.59 for Linux, 142.0.7444.59 and 60 for Windows, and 142.0.7444.60 for Mac.
This update is important for users and organizations to install promptly to maintain security against potential remote code execution and other risks.
