Chrome 134 and Firefox 136 were released to the stable channel on Tuesday with patches for dozens of vulnerabilities, including multiple high-severity bugs.
Google rolled out Chrome 134 with 14 security fixes, including nine for security defects reported by external researchers.
The most severe of these is CVE-2025-1914, a high-severity out-of-bounds read bug in the V8 JavaScript engine that earned its two reporting researchers a $7,000 bug bounty reward.
The latest Chrome update resolves six externally reported medium-severity flaws, including an improper limitation in DevTools, a use-after-free in Profiles, improper implementations in Browser UI and Media Stream, and out-of-bounds reads in PDFium and Media.
Two low-severity improper implementations in Selection and Permission Prompts were also addressed in this browser release.
Google says it handed out a total of $27,000 in bug bounty rewards to the reporting researchers for these vulnerabilities, but is keeping details on the flaws restricted for the time being.
The latest Chrome iteration is now rolling out as version 134.0.6998.35 for Linux, versions 134.0.6998.35/36 for Windows, and versions 134.0.6998.44/45 for macOS. Chrome’s extended stable channel was updated to version 134.0.6998.36 for Windows and version 134.0.6998.45 for macOS.
Mozilla promoted Firefox 136 to the stable channel with patches for 15 vulnerabilities, including eight high-severity bugs, five medium-severity issues, and two low-severity defects.
The high-severity vulnerabilities could lead to sandbox escape, users being tricked into granting sensitive permissions, potentially exploitable crashes, potentially exploitable out-of-bounds access, and arbitrary code execution.
On Tuesday, Mozilla also announced the release of Firefox ESR 128.8 with patches for 10 vulnerabilities (including one critical- and six high-severity flaws) and Firefox ESR 115.21 with fixes for five security defects (one critical- and four high-severity bugs).
Thunderbird 136 and Thunderbird ESR 128.8 were also released on Tuesday, with patches for 11 and 10 vulnerabilities, respectively.
Neither Google nor Mozilla mention any of these security defects being exploited in the wild. However, users are advised to update their applications as soon as possible.
Related: Chrome 133, Firefox 135 Updates Patch High-Severity Vulnerabilities
Related: Google Pays Out $55,000 Bug Bounty for Chrome Vulnerability
Related: Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities
Related: Tor Browser Update Patches Exploited Firefox Zero-Day