.webp?w=1600&resize=1600,900&ssl=1 "Chrome Security Update Code Execution")
Google has officially promoted Chrome 137 to the stable channel for Windows, Mac, and Linux platforms, marking a significant milestone in browser security and artificial intelligence integration. The Chrome team announced the release on May 27, 2025, with the update rolling out globally over the coming days and weeks.
Chrome 137.0.7151.55 for Linux and 137.0.7151.55/56 for Windows and Mac delivers substantial security improvements, addressing 11 vulnerabilities identified by both external researchers and internal security teams.
The update tackles several high-severity issues, including CVE-2025-5063, a use-after-free vulnerability in Compositing reported by an anonymous researcher on April 18, 2025, and CVE-2025-5280, an out-of-bounds write issue in V8 discovered by security researcher pwn2car on May 12, 2025.
.png
)
Google has implemented a comprehensive bug bounty program, rewarding security researchers for their contributions. Notable payments include $4,000 for Maurice Dauer’s discovery of inappropriate implementation in the Background Fetch API, $2,000 for NDevTK’s FileSystemAccess API findings, and $1,000 for Mohit Raj’s identification of messaging vulnerabilities.
The company continues its commitment to transparency while maintaining responsible disclosure practices, restricting access to bug details until most users receive the security patches.
| CVE ID | Severity | Type | Description | Reported By | Bounty |
|---|---|---|---|---|---|
| CVE-2025-5063 | High | Use-after-free in Compositing | Heap corruption vulnerability via crafted HTML pages in rendering pipeline | Anonymous (2025-04-18) | TBD |
| CVE-2025-5280 | High | Out-of-bounds write in V8 | Memory corruption in JavaScript engine allowing potential remote code execution | pwn2car (2025-05-12) | TBD |
| CVE-2025-5064 | Medium | Background Fetch API flaw | Cross-origin data leakage through improper implementation of background fetch operations | Maurice Dauer (2021-11-29) | $4,000 |
| CVE-2025-5065 | Medium | FileSystemAccess API issue | UI spoofing attacks enabling malicious file operations through crafted dialog manipulation | NDevTK (2022-03-11) | $2,000 |
| CVE-2025-5066 | Medium | Messages implementation flaw | UI gesture-based spoofing vulnerability affecting Android Chrome users | Mohit Raj (2024-07-31) | $1,000 |
| CVE-2025-5281 | Medium | BFCache vulnerability | Potential cross-origin information leakage through improper back/forward cache handling | Jesper van den Ende (2025-05-12) | TBD |
| CVE-2025-5283 | Medium | libvpx use-after-free | Heap corruption in VP8/VP9 video processing via malicious media content | Mozilla (2025-05-22) | TBD |
| CVE-2025-5067 | Low | Tab Strip implementation | UI spoofing through crafted tab strip interactions | Khalil Zhani (2023-10-17) | $500 |
The most groundbreaking feature in Chrome 137 is the integration of Google’s Gemini Nano large language model, which provides on-device artificial intelligence capabilities to combat sophisticated cyber threats.
This innovation targets tech support scams explicitly, which have become increasingly prevalent and sophisticated in their approach to deceiving users.
The AI-powered system operates entirely on users’ devices, ensuring privacy while analyzing webpage content in real-time. When Chrome detects characteristic scam triggers, such as misuse of keyboard-lock APIs, Gemini Nano evaluates the page’s intent by processing text, layout, and behavioral cues.
This approach enables Chrome to detect deceptive patterns and generate security signals for Google’s Safe Browsing service, providing protection against threats that typically exist for fewer than 10 minutes on average.
Beyond security improvements, Chrome 137 introduces several significant enhancements to the web platform. The update includes support for floating-point color types in canvas rendering contexts, essential for high-precision applications such as medical visualization and high dynamic range content.
Additionally, the browser now supports SVG elements that can reference external documents’ root elements without requiring explicit fragment identifiers, streamlining web development workflows.
The release also implements Document-Isolation-Policy, enabling documents to achieve cross-origin isolation without deploying complex security headers, and adds Ed25519 cryptographic algorithm support to the Web Cryptography API.
Chrome’s dominance in the browser market, with approximately 65% worldwide market share across all platforms as of 2024, means these security enhancements will impact billions of users globally.
The integration of on-device AI represents a paradigm shift in browser security, moving from reactive blocklist-based defenses to proactive, intelligent threat detection.
This release demonstrates Google’s commitment to leveraging artificial intelligence for cybersecurity while maintaining user privacy through on-device processing, setting new standards for browser security in an era of increasingly sophisticated cyber threats.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
