Chrome’s Latest Update Stops Spyware-Level Threats

Google Chrome remains the most popular browser globally, so it’s no surprise that attackers constantly devise advanced ways to compromise the platform and target users. But beyond external threats, flaws within Chrome itself can also put users at risk, as revealed in the latest October update.

In a press release, Google announced the rollout of Chrome version 141.0.7390.65/.66 for Windows and macOS, and 141.0.7390.65 for Linux. The update addresses several bugs and performance issues, but more critically, it patches three security vulnerabilities related to Chrome’s memory handling, and two of which are classified as high-risk.

Also read: Google has fixed a critical flaw in Chrome that exposes passwords

Dangerous Chrome Flaws

The most hazardous flaw is CVE-2025-11458, a heap-based buffer overflow vulnerability in Chrome’s Sync component. This memory corruption bug allows attackers to crash the browser or execute arbitrary code, potentially installing spyware, stealing credentials, or gaining control over browser behavior.

One scenario involves a user visiting a compromised website that silently sends overloaded synchronization data to Chrome. While the user remains unaware, attackers can execute malicious actions without requiring elevated privileges.

Google credited security researcher Raven from Kunlun Lab for reporting the issue, awarding a $5,000 bounty through its Vulnerability Reward Program.

High CVE-2025-11458: Heap buffer overflow in Sync. Reported by raven at KunLun lab on 2025-09-05

High CVE-2025-11460: Use after free in Storage. Reported by Sombra on 2025-09-23

Medium CVE-2025-11211: Out of bounds read in WebCodecs. Reported by Jakob Košir on 2025-08-29

The second high-severity flaw, CVE-2025-11460, affects Chrome’s storage component via a use-after-free vulnerability. Malicious scripts embedded in web pages can corrupt memory and crash the browser, again, without needing user interaction once the page is loaded.

The third flaw, CVE-2025-11211, is a medium-risk vulnerability in Chrome’s WebCodecs API. Attackers can exploit this by injecting malicious video data into websites, allowing Chrome’s decoding engine to read sensitive information, or setting up further exploits.

Despite the lower severity of the last bug, all three vulnerabilities share a dangerous trait: they require no user interaction or privilege escalation, making them prime targets for drive-by attacks and malicious ads.

Google has not disclosed whether these vulnerabilities have been exploited in the wild.

Steps to Protect Your Data

Users are strongly encouraged to update Chrome as soon as the new version becomes available. Even with the patch applied, staying vigilant online remains essential, especially when it comes to recognizing suspicious sites, avoiding shady extensions, and steering clear of unverified downloads. The less interaction attackers need, the more proactive we have to be.