Google has released an urgent security update for its Chrome browser, addressing three critical vulnerabilities that could enable attackers to execute arbitrary code on users’ systems.
The Stable channel update to version 138.0.7204.168/.169 for Windows and Mac, and 138.0.7204.168 for Linux, is currently rolling out to users worldwide over the coming days and weeks.
The most concerning issues are two high-severity type confusion vulnerabilities in Chrome’s V8 JavaScript engine, both discovered and reported by security researcher Shaheen Fazim on July 9, 2025. These flaws, tracked as CVE-2025-8010 and CVE-2025-8011, represent significant threats to browser security.
CVE-2025-8010 has been assigned a substantial $8,000 bug bounty reward, indicating its severity and potential impact. The second vulnerability, CVE-2025-8011, is still pending its reward determination but carries equally serious implications for user safety.
Type Confusion Attacks
Type confusion vulnerabilities occur when software accesses resources using incorrect data types, leading to unexpected behavior and potential security breaches.
In the context of Chrome’s V8 JavaScript engine, these flaws can be particularly dangerous as they allow attackers to manipulate memory allocations and potentially execute arbitrary code through specially crafted web pages.
“Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers,” according to cybersecurity researchers.
These vulnerabilities can lead to heap corruption, memory corruption, and ultimately arbitrary code execution when successfully exploited.
This update comes amid a concerning trend of increasing browser-based security threats. Security experts report that vulnerabilities in 2024 rose by 61% compared to 2023, with nearly 50,000 vulnerabilities forecasted for 2025.
Chrome’s V8 engine has become a particularly attractive target for cybercriminals, with Google offering enhanced bug bounty rewards of up to $20,000 for high-quality V8 vulnerability reports.
The V8 JavaScript engine, which powers not only Chrome but also other Chromium-based browsers like Microsoft Edge and Brave, processes billions of web interactions daily, making these vulnerabilities especially critical.
When exploited, these flaws could allow attackers to bypass Chrome’s security sandbox and gain access to the underlying operating system.
Security researchers emphasize that users should update their browsers immediately. Modern type confusion attacks can be triggered simply by visiting a malicious website, requiring no additional user interaction.
The attack typically begins with attackers crafting malicious HTML pages containing specially designed JavaScript code that exploits these V8 engine vulnerabilities.
Google’s security team has also acknowledged the work of various internal security initiatives, including AddressSanitizer, MemorySanitizer, and fuzzing techniques that help identify such vulnerabilities before they reach production.
However, the discovery of these high-severity issues by external researchers demonstrates the ongoing challenges in securing complex browser engines.
Chrome users should verify their browser version by navigating to Settings > About Chrome and allowing any pending updates to install automatically.
Given the severity of these vulnerabilities and their potential for exploitation in drive-by attacks, immediate patching is strongly recommended.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post Chrome High-Severity Vulnerabilities Allow Attackers to Execute Arbitrary Code appeared first on Cyber Security News.
