Google Issues Emergency Chrome Update for WebGPU High-Severity Remote Code Exploit

Google has released an emergency security update for the Chrome browser, addressing a series of vulnerabilities that could allow remote code execution and potential system takeover. The update, issued on 5 November 2025, is being rolled out progressively across desktop platforms—Windows, macOS, and Linux—as well as Android, through both Google Play and Chrome’s integrated update mechanism.

The patch resolves five security flaws, three of which were assigned high CVSS ratings due to the risks of memory corruption and remote command execution. The most severe, CVE-2025-12725, was discovered on 9 September by an anonymous researcher in Chrome’s WebGPU component, the browser’s graphics interface.

The vulnerability stems from out-of-bounds memory access, which could allow overwriting of critical memory regions, thereby enabling arbitrary code execution. To prevent active exploitation, technical details will remain undisclosed until the majority of users have applied the patch.

Two other high-severity flaws—CVE-2025-12726 and CVE-2025-12727—affect Chrome’s internal modules. The first, identified by Alessandro Ortiz on 25 September, involves improper handling in the Views component responsible for rendering the browser’s user interface. The second, found by researcher 303f06e3 on 23 October, impacts the V8 JavaScript engine, a core part of Chrome’s execution environment. Both vulnerabilities enable remote interference through memory manipulation and received a CVSS v3.1 score of 8.8.

The update also addresses two medium-severity vulnerabilities in the Omnibox component, which integrates Chrome’s address bar and search field. Identified as CVE-2025-12728 and CVE-2025-12729, these issues were discovered by researchers Hafiizh and Khalil Zhani respectively. Both arise from implementation flaws that may lead to data leakage or visual interface spoofing. While less critical, Google stresses the need for prompt patching, as they could be exploited for phishing or content manipulation attacks.

On desktop systems, Chrome has been updated to version 142.0.7444.134 or .135, and on Android to version 142.0.7444.138. A spokesperson from the Chrome team confirmed that the Android build includes identical security fixes and will be distributed via Google Play over the coming days. Developers expressed gratitude to all researchers who responsibly disclosed the flaws before exploitation could occur and emphasized that full technical reports would remain embargoed to reduce the risk of active attacks.

All users are strongly urged to verify their Chrome version and ensure they are running the latest release. On desktop, this can be done through the “About Google Chrome” section in settings, while Android users should check for updates via the Play Store. Google also recommends enabling automatic updates to ensure that critical security protections are applied without delay.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy