Google and Mozilla have released critical updates for their flagship browsers—Chrome 135 and Firefox 137—to patch several serious vulnerabilities that could leave users exposed to remote code execution and data leaks. These updates come as part of the companies’ ongoing efforts to stay ahead of growing cybersecurity threats.
The Chrome 135.0.7049.95/.96 update for Windows and macOS—and version 135.0.7049.95 for Linux—addresses two major memory-related vulnerabilities. According to Google, both flaws were reported by external security researchers and have been classified as high to critical severity.
One of the vulnerabilities, CVE-2025-3619, is a heap buffer overflow bug located in Chrome’s Codecs component. The second flaw, CVE-2025-3620, involves a use-after-free issue in the USB module. While technical details are limited to prevent immediate exploitation, these types of bugs typically allow attackers to manipulate memory and execute malicious code—especially if a user is tricked into visiting a specially crafted website.
Memory safety issues are among the most dangerous browser bugs. They can be exploited to gain control over a device, steal information, or deliver malware. That’s why Google moved quickly to patch these holes in the latest Chrome release.
Mozilla, too, has taken swift action. The newly released Firefox 137.0.2 update fixes CVE-2025-3608, a high-severity race condition in the component responsible for HTTP transactions, known as nsHttpTransaction. This flaw could lead to memory corruption and potentially open the door to further exploitation, particularly when users browse malicious websites.
In addition to Firefox, Mozilla also updated its email client, Thunderbird, to versions 137.0.2 and 128.9.2 ESR. These versions resolve two high-severity vulnerabilities—CVE-2025-3522 and CVE-2025-2830—as well as a medium-severity flaw. The most alarming of the Thunderbird issues could allow hashed Windows credentials or sensitive directory listings to be exposed under certain conditions.
One flaw stems from how Thunderbird handles external attachments. The client fails to properly sanitize the URLs used to fetch file sizes, which could lead to unintended access to internal system resources. Another vulnerability can be triggered by specially crafted filenames in email attachments, potentially exposing directory contents when users forward or edit messages.
Neither Google nor Mozilla have reported any of these flaws being exploited in the wild. However, security professionals warn that these kinds of vulnerabilities are often quickly weaponized once publicly disclosed.
To stay protected, users are strongly encouraged to update their browsers and email clients immediately. Most modern browsers will update automatically, but it’s always best to manually check that you’re on the latest version—especially when critical vulnerabilities are involved.
With threats growing more sophisticated every day, timely updates remain one of the most effective ways to guard against cyberattacks. Chrome 135 and Firefox 137 demonstrate the importance of regular patching and the ongoing work required to keep internet users safe.
