Google has rolled out Chrome 134 to the steady channel for Home windows, macOS, and Linux, addressing 14 safety vulnerabilities—together with high-severity flaws that might allow distant code execution or crashes.
The replace, model 134.0.6998.35 for Linux, 134.0.6998.35/36 for Home windows, and 134.0.6998.44/45 for macOS, follows weeks of testing and contains vital fixes for vulnerabilities in parts like V8, PDFium, and Media Stream.
Exterior researchers contributed 9 of the patches, incomes as much as $7,000 in bug bounties, whereas Google’s inner groups resolved 5 further points by means of audits and automatic instruments.
Safety Enhancements and Exterior Collaborations
Probably the most extreme vulnerability, CVE-2025-1914, earned researchers Zhenghang Xiao and Nan Wang a $7,000 bounty for figuring out an out-of-bounds learn in Chrome’s V8 JavaScript engine.
This class of vulnerability typically permits attackers to bypass safety protocols or leak delicate reminiscence information.
One other vital repair, CVE-2025-1915, patched a path traversal flaw in DevTools that might expose native recordsdata, reported by Topi Lassila for a $4,000 reward.
Medium-severity points dominated the replace, together with a use-after-free flaw in Profiles (CVE-2025-1916) reported by South Korea’s SSD Labs and an out-of-bounds learn in PDFium (CVE-2025-1918) found by researcher “asnine.”
Notably, Khalil Zhani obtained two rewards totaling $3,000 for reporting implementation flaws in Browser UI and Permission Prompts (CVE-2025-1917 and CVE-2025-1923).
| CVE ID | Severity | Vulnerability Description |
| CVE-2025-1914 | Excessive | Out-of-bounds learn in V8 |
| CVE-2025-1915 | Medium | Path traversal in DevTools |
| CVE-2025-1916 | Medium | Use-after-free in Profiles |
| CVE-2025-1917 | Medium | Browser UI implementation flaw |
| CVE-2025-1918 | Medium | Out-of-bounds learn in PDFium |
| CVE-2025-1919 | Medium | Out-of-bounds learn in Media |
| CVE-2025-1921 | Medium | Media Stream implementation flaw |
| CVE-2025-1922 | Low | Choice implementation flaw |
| CVE-2025-1923 | Low | Permission Prompts implementation flaw |
Inside Safeguards and Ongoing Efforts
Google’s inner safety groups addressed 5 further vulnerabilities by means of instruments like AddressSanitizer and Management Stream Integrity.
These efforts targeted on hardening parts equivalent to networking stacks and DOM dealing with, although particular CVE identifiers stay undisclosed to forestall exploitation.
The corporate emphasised its dedication to “zero-day prevention” by means of steady fuzzing and sandboxing enhancements.
The replace will deploy incrementally over the approaching weeks. Customers can manually set off an replace by way of Chrome > Assist > About Google Chrome.
Enterprises on the Prolonged Secure Channel will obtain variations 134.0.6998.36 (Home windows) and 134.0.6998.45 (macOS).
Google quickly restricted entry to detailed bug reviews till most customers set up the patches. Researchers are urged to report new points by way of Chrome’s bug tracker, with bounties out there by means of the Vulnerability Reward Program.
As exploit chains concentrating on browsers develop extra refined, well timed updates are vital. Chrome 134 underscores the steadiness between open-source collaboration and behind-the-scenes hardening—a mannequin more and more adopted throughout the business.
Accumulate Menace Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Attempt totally free
