What vulnerabilities does Chrome 137.0.7151.55/56 fix?

Chrome 137.0.7151.55/56 addresses eight security vulnerabilities including use-after-free flaws in Compositing and libvpx, an out-of-bounds write in V8 JavaScript engine, and multiple inappropriate implementation issues in various Chrome components. These vulnerabilities could allow attackers to execute arbitrary code, corrupt memory, or crash the browser if left unpatched.

What are the most critical vulnerabilities fixed in Chrome 137?

The most critical vulnerabilities are CVE-2025-5063 (CVSS 8.8), a use-after-free in Compositing, and CVE-2025-5280 (CVSS 8.8), an out-of-bounds write in V8. These high-severity flaws represent memory management issues that can be exploited to achieve code execution through maliciously crafted web content.

Which platforms are affected by the Chrome 137 security update?

The security update affects Chrome across all major platforms: Chrome 137.0.7151.55 for Linux and Chrome 137.0.7151.55/56 for Windows and Mac. All users on these platforms should update to the latest version to protect against the identified vulnerabilities.

What are the use-after-free vulnerabilities in Chrome 137?

Chrome 137 fixes two use-after-free vulnerabilities: CVE-2025-5063 (CVSS 8.8) in Compositing and CVE-2025-5283 (CVSS 5.4) in libvpx. These memory management flaws are concerning as they can be exploited to achieve code execution by accessing memory that has already been freed.

What Chrome API vulnerabilities were fixed in version 137?

Several inappropriate implementation vulnerabilities were fixed in Chrome APIs: CVE-2025-5065 (CVSS 6.5) in FileSystemAccess API, CVE-2025-5066 (CVSS 6.5) in Messages, CVE-2025-5064 (CVSS 5.4) in Background Fetch API, and CVE-2025-5281 (CVSS 5.4) in BFCache. Additionally, CVE-2025-5067 (CVSS 5.4) was fixed in Tab Strip implementation.

What should Chrome users do about the version 137 security update?

Users are encouraged to ensure their Chrome browsers are updated to the latest version (137.0.7151.55/56) across all platforms to maintain security. The update can typically be installed through Chrome's built-in update mechanism in the browser settings.

What is the potential impact of the Chrome 137 vulnerabilities if exploited?

If exploited, these vulnerabilities could allow attackers to execute arbitrary code, corrupt memory, or crash the browser. The high-severity use-after-free and out-of-bounds write vulnerabilities are particularly dangerous as they could lead to full system compromise through malicious web content.

Advisory

Google releases Chrome security update patching multiple flaws, two high severity

Q: What is the V8 vulnerability in Chrome 137?

CVE-2025-5280 (CVSS 8.8) is an out-of-bounds write vulnerability in the V8 JavaScript engine. This flaw could potentially allow attackers to corrupt memory through maliciously crafted web content, making it one of the most serious vulnerabilities addressed in this update.

published: May 28, 2025

Take action: An easy update of your Chrome and Chromium based browsers (Opera, Edge, Brave, Vivaldi...). This one may become critical, so don't delay. Update your browsers now - all your tabs reopen so it's super easy.

Learn More

Google has released Chrome 137.0.7151.55 for Linux and Chrome 137.0.7151.55/56 for Windows and Mac, addressing multiple vulnerabilities. These vulnerabilities, if left unpatched, could allow attackers to execute arbitrary code, corrupt memory, or crash the browser.

Vulnerabilities summary

CVE-2025-5063 (CVSS score 8.8) - Use after free in Compositing
CVE-2025-5280 (CVSS score 8.8) - Out of bounds write in V8
CVE-2025-5065 (CVSS score 6.5) - Inappropriate implementation in FileSystemAccess API
CVE-2025-5066 (CVSS score 6.5) - Inappropriate implementation in Messages
CVE-2025-5064 (CVSS score 5.4) - Inappropriate implementation in Background Fetch API
CVE-2025-5281 (CVSS score 5.4) - Inappropriate implementation in BFCache
CVE-2025-5283 (CVSS score 5.4) - Use after free in libvpx
CVE-2025-5067 (CVSS score 5.4) - Inappropriate implementation in Tab Strip

The use-after-free vulnerabilities in Compositing and libvpx components are concerning as they represent memory management flaws that can be exploited to achieve code execution. The out-of-bounds write vulnerability in the V8 JavaScript engine could potentially allow attackers to corrupt memory through maliciously crafted web content.

Google maintains its policy of restricting access to detailed bug information until a majority of users have been updated with the fixes. This restriction also applies to vulnerabilities in third-party libraries that other projects depend on but haven't yet addressed.

Users are encouraged to ensure their Chrome browsers are updated to the latest version across all platforms to maintain security.

Google releases Chrome security update patching multiple flaws, two high severity

Read More
Android patches 40 Vulnerabilities, 4 critical - but …
Google releases Chrome 141, patches multiple vulnerabilities enabling …
Flaws in Apple's AirPlay protocol puts millions of …
Apple patches critical WebKit Vulnerability exploited in "Extremely …
Android security updates fix three actively exploited vulerabilities