Google and Mozilla on Tuesday announced security updates for Chrome 135 and Firefox 137 that address potentially exploitable critical- and high-severity vulnerabilities.
Chrome versions 135.0.7049.95/.96 for Windows and macOS and version 135.0.7049.95 for Linux were rolled out with fixes for two memory safety vulnerabilities reported by external researchers.
The first, tracked as CVE-2025-3619, is described as a critical-severity heap buffer overflow issue in Codecs. The second is CVE-2025-3620, a use-after-free bug in USB.
While Google has not shared specific details on either of the flaws, both could likely be exploited by attackers with knowledge of memory allocation patterns to execute arbitrary code, typically by convincing a user to visit a crafted webpage.
Firefox was updated to version 137.0.2 across operating systems to resolve CVE-2025-3608, a high-severity race condition in nsHttpTransaction, the component that handles HTTP transactions.
According to Mozilla, the security defect could have been exploited to cause memory corruption, which could have opened the door to further exploitation.
On Tuesday, Mozilla also announced the release of Thunderbird 137.0.2 and Thunderbird ESR 128.9.2 with fixes for two high-severity bugs and one medium-severity flaw.
The high-severity issues, tracked as CVE-2025-3522 and CVE-2025-2830, are information disclosure vulnerabilities that could result in hashed Windows credentials or a directory listing of /tmp being exposed.
CVE-2025-3522 exists because, when handling attachments hosted externally, the URL that Thunderbird accesses to determine the attachment’s size is not validated or sanitized and could reference internal resources.
CVE-2025-2830 can be exploited through malformed file names for attachments in multipart messages to trick the email client into including a /tmp directory listing when a message is edited as a new message or forwarded.
Neither Google nor Mozilla make mention of any of these vulnerabilities being exploited in the wild. However, users should install the updates as soon as possible.
Related: Chrome 135, Firefox 137 Patch High-Severity Vulnerabilities
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Related: Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities
Related: Chrome 133, Firefox 135 Updates Patch High-Severity Vulnerabilities
