214/68 Friday, June 13, 2025
Google and Mozilla have released critical security updates for their Chrome and Firefox browsers, addressing four high-severity memory-related vulnerabilities that could lead to remote code execution (RCE), data leaks, or remote system takeover. The fixes are included in Chrome version 137 and Firefox version 139, both rolled out on Tuesday, targeting key components within each browser.
In Chrome, the updates resolve a use-after-free vulnerability in Media (CVE-2025-5958) and a type confusion issue in the V8 JavaScript engine (CVE-2025-5959). These flaws could potentially be chained with higher-privileged vulnerabilities to bypass the browser sandbox. Google awarded $8,000 to a researcher from Ant Group Light-Year Security Lab for reporting CVE-2025-5958. The reward for CVE-2025-5959 has not yet been disclosed, though past vulnerabilities of this nature have earned up to $55,000.
Mozilla Firefox 139.0.4 addresses a memory corruption flaw in canvas surfaces (CVE-2025-49709) and an integer overflow in the JavaScript engine’s OrderedHashTable (CVE-2025-49710). Additionally, Mozilla patched Thunderbird to fix CVE-2025-5986, which allowed specially crafted HTML emails to trick users into downloading .pdf files without their knowledge—even with auto-save disabled. This could result in data exfiltration on Windows or disk exhaustion on Linux. As of now, there are no reports of active exploitation for these vulnerabilities in the wild.
Source https://www.securityweek.com/chrome-firefox-updates-resolve-high-severity-memory-bugs/
