What vulnerabilities were patched in the latest Google Chrome update?

Google has released Chrome version 141.0.7390.65/.66 for Windows and Mac, and version 141.0.7390.65 for Linux, patching multiple high-severity and two critical memory handling vulnerabilities that could enable attackers to execute arbitrary code. The main vulnerabilities are CVE-2025-11460, CVE-2025-11458, and CVE-2025-11211.

What is CVE-2025-11460?

CVE-2025-11460 has a CVSS score of 9.8 and Google severity rating of High. It is a use-after-free condition in Chrome's Storage component. Attackers could exploit this flaw to cause the browser to access freed memory regions, leading to memory corruption, information leakage from deallocated memory, or potentially arbitrary code execution if the freed memory is reallocated with attacker-controlled data.

What is CVE-2025-11458?

CVE-2025-11458 has a CVSS score of 8.8 and Google severity rating of High. It is a heap buffer overflow in Chrome's Sync component. Successful exploitation could trigger memory corruption leading to browser crashes, information disclosure, or potentially arbitrary code execution within the browser's process context.

What is CVE-2025-11211?

CVE-2025-11211 has a CVSS score of 9.8 and Google severity rating of Medium. It is an out-of-bounds read in the WebCodecs API. The vulnerability could be exploited through malicious media files or malformed input parameters passed to WebCodecs API calls during encoding or decoding operations, potentially resulting in information disclosure, denial-of-service conditions, or serving as a component in more complex exploit chains.

Which versions of Google Chrome are affected?

All Google Chrome versions prior to 141.0.7390.65 for Linux and all Google Chrome versions prior to 141.0.7390.65/.66 for Windows and Mac are affected by these vulnerabilities.

Which versions of Google Chrome have the patches?

Google Chrome version 141.0.7390.65/.66 and all later versions for Windows and Mac, and Google Chrome version 141.0.7390.65 and all later versions for Linux contain the patches for these vulnerabilities.

What are the severity ratings of the Chrome vulnerabilities?

CVE-2025-11460 has a CVSS score of 9.8 with Google severity High, CVE-2025-11458 has a CVSS score of 8.8 with Google severity High, and CVE-2025-11211 has a CVSS score of 9.8 with Google severity Medium.

What could happen if these Chrome vulnerabilities are exploited?

Successful exploitation of these vulnerabilities could result in memory corruption, information leakage or disclosure, browser crashes, denial-of-service conditions, or potentially arbitrary code execution within the browser's process context, allowing attackers to gain control over the affected system.

How can CVE-2025-11211 be exploited?

CVE-2025-11211 could be exploited through malicious media files or malformed input parameters passed to WebCodecs API calls during encoding or decoding operations.

Advisory

Google releases Chrome 141, patches multiple vulnerabilities enabling arbitrary code execution

published: Oct. 8, 2025

Take action: If you are using Google Chrome or other Chromium-based browsers (Edge, Brave, Vivaldi, Opera...) patch your browser ASAP. While not a critical zero-day emergency, three vulnerabilities, two high-severity deserve quick update. And updating is trivial, all your tabs reopen.

Learn More

Google has released Chrome version 141.0.7390.65/.66 for Windows and Mac, and version 141.0.7390.65 for Linux, patching multiple high-severity and two critical (per CVSS score) memory handling vulnerabilities that could enable attackers to execute arbitrary code.

Vulnerabilities summary:

CVE-2025-11460 (CVSS score 9.8, Google severity High), is a use-after-free condition in Chrome's Storage component. Attackers could exploit this flaw to cause the browser to access freed memory regions, leading to memory corruption, information leakage from deallocated memory, or potentially arbitrary code execution if the freed memory is reallocated with attacker-controlled data.
CVE-2025-11458 (CVSS score 8.8, Google severity High), is a heap buffer overflow in Chrome's Sync component. Successful exploitation could trigger memory corruption leading to browser crashes, information disclosure, or potentially arbitrary code execution within the browser's process context.
CVE-2025-11211 (CVSS score 9.8, Google severity Medium), is an out-of-bounds read in the WebCodecs API. The vulnerability could be exploited through malicious media files or malformed input parameters passed to WebCodecs API calls during encoding or decoding operations. Successful exploitation could still result in information disclosure through leaked memory contents, denial-of-service conditions through browser crashes, or serve as a component in more complex exploit chains combined with other vulnerabilities.

Affected versions of Google Chrome are

All Google Chrome versions prior to 141.0.7390.65 for Linux
All Google Chrome versions prior to 141.0.7390.65/.66 for Windows and Mac

Patched versions

Google Chrome version 141.0.7390.65/.66 and all later versions for Windows and Mac
Google Chrome version 141.0.7390.65 and all later versions for Linux

Chrome users should update their browsers immediately to the latest version to protect against these vulnerabilities. The browser typically updates automatically, but users can manually trigger an update by navigating to Settings → Help → About Google Chrome, which will check for and install the latest version if available.

Google releases Chrome 141, patches multiple vulnerabilities enabling arbitrary code execution

Read More
Adobe releases November 2024 updates for multiple products, …
Two Google Pixel Android flaws actively exploited
Adobe releases patches for multiple products, warns of …
Critical vulnerabilities in Google Home and Google Nest …
Third one in a week: Google patches another …