Google and Mozilla on Tuesday announced the promotion of Chrome 136 and Firefox 138 to their stable channels with patches for over a dozen vulnerabilities, including multiple high-severity bugs.
Chrome 136 was rolled out with eight security fixes, four of which address flaws reported by external researchers.
The most severe of the externally reported security defects is CVE-2025-4096, a high-severity heap buffer overflow issue in HTML that earned the reporting researcher a $5,000 bug bounty reward.
The remaining three vulnerabilities reported by external researchers include medium-severity out-of-bounds memory access and insufficient data validation issues in DevTools, and a low-severity inappropriate implementation in DevTools.
Google says it paid out $2,000 rewards for the medium-severity bugs and a $1,000 bug bounty for the low-severity one.
The latest Chrome iteration is rolling out as versions 136.0.7103.48/49 for Windows and macOS, and as version 136.0.7103.59 for Linux.
On Tuesday, Mozilla released Firefox 138 with patches for 11 vulnerabilities, including four high-severity bugs that could lead to privilege escalation, sandbox escape, and potentially arbitrary code execution.
The browser update also fixes six medium-severity flaws potentially leading to information disclosure, obscured file extension during download, memory corruption, cross-site request forgery (CSRF) attacks, and code execution. A low-severity issue impacting Firefox for Android was also resolved.
Fixes for these vulnerabilities were also included in Thunderbird 138, and Firefox ESR and Thunderbird ESR were updated as well to resolve some of these flaws. Additional information can be found on Mozilla’s security advisories page.
Neither Google nor Firefox mention any of these security defects being exploited in the wild, but users are advised to update their browsers as soon as possible.
Related: Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities
Related: Chrome 135, Firefox 137 Patch High-Severity Vulnerabilities
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Related: Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities
