What vulnerabilities does Google Chrome 140 fix?

Google Chrome 140 patches six security vulnerabilities, including one classified as high severity but with a critical CVSS score of 9.8. The most critical flaw is CVE-2025-9864, a use-after-free vulnerability in the V8 JavaScript engine. Additional vulnerabilities include inappropriate implementation flaws in Toolbar, Extensions, and Downloads components.

What is the most critical vulnerability fixed in Chrome 140?

The most critical vulnerability is CVE-2025-9864, a use-after-free vulnerability in the V8 JavaScript engine with a CVSS score of 9.8. Despite the critical CVSS score, Google has classified this vulnerability as 'High' severity according to their internal rating system.

What other vulnerabilities are fixed in Chrome 140 besides the V8 flaw?

Chrome 140 also fixes CVE-2025-9865 (inappropriate implementation in Toolbar, CVSS 8.8), CVE-2025-9866 (inappropriate implementation in Extensions, CVSS 8.8), and CVE-2025-9867 (inappropriate implementation in Downloads, CVSS 8.8). Google has classified these as medium severity vulnerabilities.

Why is there a discrepancy between CVSS scores and Google's severity ratings?

Google uses its own internal severity classification system that may differ from standard CVSS scores. For example, CVE-2025-9864 has a critical CVSS score of 9.8 but is classified as 'High' severity by Google. This difference likely reflects Google's assessment of real-world exploitability and impact within the Chrome browser environment.

What is Google's policy on disclosing vulnerability details for Chrome updates?

Google restricts access to detailed vulnerability information until a majority of users have updated their browsers with the fixes. This policy helps prevent attackers from developing exploits before most users have applied the security patches.

Should Chrome users update to version 140 immediately?

Yes, users should update to Chrome 140 immediately due to the critical nature of the vulnerabilities, particularly the V8 JavaScript engine flaw (CVE-2025-9864) with a CVSS score of 9.8. The V8 engine processes JavaScript on virtually every website, making this a high-priority security update.

What is the Extended Stable channel and who should use it?

The Extended Stable channel is designed for users who prefer a more conservative update schedule with less frequent updates. It has been updated to Chrome version 140.0.7339.81 for Windows and Mac users. This channel is suitable for enterprise environments or users who prioritize stability over having the latest features.

How serious is a use-after-free vulnerability in the V8 JavaScript engine?

A use-after-free vulnerability in the V8 JavaScript engine is extremely serious because V8 processes JavaScript code from virtually every website users visit. This type of vulnerability can potentially allow attackers to execute arbitrary code in the browser context, compromise user data, or escape browser security sandboxes. The critical CVSS score of 9.8 reflects the high potential impact of successful exploitation.

Advisory

Chrome 140 security update patches six vulnerabilities, one high-severity

Q: What Chrome 140 versions are available for different operating systems?

Chrome 140 is available as version 140.0.7339.80 for Linux systems and versions 140.0.7339.80/81 for Windows and Mac platforms. The Extended Stable channel has also been updated to version 140.0.7339.81 for Windows and Mac users who prefer the more conservative update schedule.

published: Sept. 3, 2025

Take action: Finally an update without a critical actively exploited vulnerability. Still wise to update your Chrome, Edge, Opera, Brave, Vivaldi... Because hackers will find a way to exploit these flaws. Don't wait, updating is trivial and all your tabs reopen.

Learn More

Google has released Chrome 140 patching six security vulnerabilities, one classified as high severity but with a critical CVSS score.

Vulnerabilities summary:

CVE-2025-9864 (CVSS score 9.8, Google score High severity) - Use after free in V8 JavaScript engine
CVE-2025-9865 (CVSS score 8.8, Google score Medium severity) - Inappropriate implementation in Toolbar
CVE-2025-9866 (CVSS score 8.8, Google score Medium severity) - Inappropriate implementation in Extensions
CVE-2025-9867 (CVSS score 8.8, Google score Medium severity) - Inappropriate implementation in Downloads

Chrome 140 is available as 140.0.7339.80 for Linux systems and 140.0.7339.80/81 for Windows and Mac platforms. The Extended Stable channel has also been updated to version 140.0.7339.81 for Windows and Mac users who prefer the more conservative update schedule. Users can verify their current Chrome version by navigating to Settings > About Chrome, where the browser will automatically check for and install available updates.

Google restricts access to detailed vulnerability information until a majority of users have updated their browsers with the fixes.

Chrome 140 security update patches six vulnerabilities, one high-severity

Read More
Google Chrome 147 Update Patches 60 Vulnerabilities Including …
Google warns of actively exploited flaw in Samsung …
Microsoft releases massive July patch addressing 142 flaws, …
Critical remote execution code vulnerabilities in ASUS routers
Google patches high severity vulnerability in Chrome Safe …