Google Chrome users who want to stay safe and secure will want to update their browser to the latest version. That’s because it contains a fix for a critical vulnerability that could cause Chrome to crash or even infect your system or device with malware.
On Wednesday, Google released Chrome version 134.0.6998.117/.118 for Windows and Mac and 134.0.6998.117 for Linux. Rolling out over the next few days and weeks, this version offers several security fixes. But the patch for the critical vulnerability is the most important one.
Also: I’ve tried nearly every browser out there and these are my top 6 (none are Chrome)
As described in the NIST vulnerability database, CVE-2025-2476 points to “Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” And what does that mean in layman’s terms? Let’s break it down.
“Use after free” is a type of memory corruption in which a program continues to use a block of memory even after it’s been freed. Lens in Google Chrome refers to the Google Lens tool that can search for and identify items you spot through your phone’s camera.
“Heap corruption” means that someone could exploit data stored in the block of memory. And “a crafted HTML page” — in this instance — is a web page custom-designed for malicious purposes. Put them together, and any previous version of Chrome is susceptible to web pages created by attackers that would take advantage of corrupted memory to infect your PC with malware.
Here’s a clever way to visualize this type of flaw.
“Imagine you’re at an amusement park with a wristband that gets you into a special ride,” Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit, told ZDNET. “After your turn, you leave. But later, you sneak back and flash the same old wristband — now expired — to try getting on the ride again. The catch? The ride’s now open to someone else with a new wristband.
“In Chrome, this ‘use-after-free’ bug is like using a piece of memory after it’s been returned to the system, creating a glitchy free-for-all,” Abbasi continued. “This trick messes up Chrome’s memory, the ‘heap’ (Chrome’s memory pool) gets scrambled, leading to unpredictable chaos. In short, CVE-2025-2476 is a memory flaw where attackers use a shady web page to sneak past Chrome’s defenses, potentially taking over your browser like a rogue rider at the park.”
Also: The best secure browsers for privacy: Expert tested
Abbasi explained that just visiting a malicious web page can trigger the exploit, giving attackers the ability to run their own code on your PC. Since the bug is rated as critical, attackers could steal your passwords, credit card numbers, and other sensitive details stored in Chrome. They could even install malware, ransomware, or spyware without your knowledge, preventing you from noticing any threat until it’s already completed its job.
Flaws like these are sometimes discovered by external security researchers. For this one, Google credited and thanked SungKwon Lee, CEO of Korean cybersecurity provider Enki Whitehat, who reported the bug on March 5.
Other vulnerabilities are found internally by Google employees. Google said the latest update to Chrome includes various fixes from internal audits, fuzzing (testing to discover bugs), and other initiatives. Many vulnerabilities are discovered using tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL.
Also: Google Chrome is killing more extensions than you think – is your old favorite on the list?
To grab the latest version of the browser, open Chrome and click the three-dot icon at the top right. Move to Help and select About Google Chrome. The new version will automatically download and install. Restart Chrome to complete the process.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
Source : https://www.zdnet.com/article/its-time-to-update-google-chrome-again-asap-heres-why/
