One of the critical flaws patched in the latest Chrome update now has public exploit code, raising fresh concerns for millions of users.
Quick Summary – TLDR:
- Google released Chrome version 141.0.7390.65/.66 with patches for three serious vulnerabilities
- One of the flaws, a bug in Chrome’s V8 engine, now has a full public exploit available
- Researchers demonstrated remote code execution using a sandbox bypass and crafted WebAssembly types
- Users and enterprises are urged to update immediately to prevent exploitation
What Happened?
Google pushed a new Chrome update across Windows, macOS, and Linux to fix three major security vulnerabilities, two of which are considered high severity. The most critical of them, involving Chrome’s V8 JavaScript engine, has already been publicly exploited with technical details and proof-of-concept code now circulating online.
🐞Bug Spotlight: CVE-2025-10200 – Use-after-Free in Chrome Service Worker [bounty $43000]
— Zero Day Engineering (@zerodaytraining) October 8, 2025
One-shot renderer RCE to sandbox escape with a deep iterator invalidation
Issue: 🔒440454442 (currently private)
Reported by Looben Yang
Reverse engineering & PoC exploit by @alisaesage pic.twitter.com/06Uak6XSrS
Critical Bugs Found and Patched
The latest update, Chrome 141.0.7390.65/.66, includes three security fixes, each reported by external security researchers and rewarded through Google’s vulnerability program. All of them involve improper memory handling which can be exploited by visiting malicious web pages:
- CVE-2025-11458 (High Severity): A heap buffer overflow in Chrome Sync. Reported by “raven” from KunLun Lab, who received a $5,000 reward.
- CVE-2025-11460 (High Severity): A use-after-free flaw in Chrome’s Storage component. Discovered by Sombra, reward still pending.
- CVE-2025-11211 (Medium Severity): An out-of-bounds read in the WebCodecs API. Reported by Jakob Košir and rewarded with $3,000.
These vulnerabilities could allow attackers to run arbitrary code in the browser simply by luring users to open a malicious website or advertisement. No elevated privileges are needed, making them dangerous in real-world scenarios.
Exploit Code Released for V8 Bug
The biggest concern comes from a newly published exploit targeting a V8 engine flaw that Google quietly patched in Chrome M137. The exploit showcases a deep technical chain of abuse starting from a type confusion vulnerability in WebAssembly.
Security researcher Seunghyun Lee (0x10n), who earned top recognition at TyphoonPWN 2025, crafted the exploit using a technique that triggers nullability confusion in recursive type groups. By leveraging a birthday attack on Chrome’s MurmurHash64A function, attackers can manipulate how WebAssembly types are interpreted, effectively sidestepping safety checks.
In addition, the exploit uses a sandbox bypass via JS Promise Integration (JSPI) flaws. By spraying attacker-controlled data and abusing suspended stack frames, the exploit builds a return-oriented programming (ROP) chain to invoke VirtualProtect and run arbitrary shellcode.
The publicly available proof-of-concept even demonstrates launching the Windows Calculator app (calc.exe) as a live test of the exploit’s effectiveness.
Why It Matters?
While Google has already patched the V8 vulnerability, the release of exploit code puts unpatched systems at serious risk. If users or organizations have not yet updated, they may be vulnerable to drive-by attacks where no user interaction is needed beyond visiting a rigged website.
What You Should Do Now?
- Update Chrome to version 141.0.7390.65/.66 immediately. Most users will receive it automatically, but it can be manually checked via Chrome settings under “About Google Chrome.”
- Enterprises using managed environments should prioritize deployment across all endpoints.
- Developers and sysadmins should strengthen site defenses using Content Security Policy (CSP) and validate all user inputs.
- Security teams are encouraged to adopt runtime memory safety tools like AddressSanitizer and Control Flow Integrity during development.
SQ Magazine Takeaway
Honestly, this one is a wake-up call. It’s not every day you see exploit code for a major browser like Chrome go public so quickly after a patch. This could lead to widespread misuse if users don’t act fast. What’s more concerning is how sophisticated the attack chain is, combining low-level WebAssembly quirks with stack manipulation. I’ve already updated my browser, and I recommend you do the same before attackers start automating these exploits in malware kits.
