Chrome and Firefox Release Security Updates Addressing 70+ Vulnerabilities, Including Critical Memory Safety Flaws

Google and Mozilla have released major security updates for their flagship web browsers, patching more than 70 vulnerabilities collectively, including multiple critical and high-severity memory safety flaws that security experts warn could potentially be leveraged for remote code execution (RCE).

The updates arrive amid continued scrutiny of browser security as Chrome and Firefox remain among the most widely used internet browsers globally, making them attractive targets for cybercriminals, state-sponsored threat actors, and exploit developers seeking access to sensitive systems and user data.

Google Patches Critical Chrome Vulnerabilities

Google announced the release of Chrome versions:

149.0.7827.155 for windows

149.0.7827.156 for macOS

149.0.7827.155 for Linux

The updated versions fix 33 security vulnerabilities identified within the browser.

According to Google's security advisory, 32 of the flaws were discovered internally by the company's security teams, highlighting the ongoing efforts by browser vendors to proactively identify and mitigate vulnerabilities before they can be weaponized by attackers.

Particularly concerning are seven vulnerabilities classified as critical severity. Six of these flaws involve use-after-free conditions, a class of memory corruption vulnerability that has repeatedly appeared in browser exploitation campaigns over the past decade.

Use-after-free vulnerabilities occur when software continues to reference memory after it has been released by the operating system. Attackers who successfully manipulate these conditions may gain the ability to execute malicious code, crash applications, or bypass security controls.

Use-after-free vulnerabilities remain among the most dangerous categories of browser flaws because they can often be chained with other weaknesses to achieve full system compromise.

In modern browsers, a single memory corruption bug is rarely enough to completely compromise a device. However, when combined with privilege escalation vulnerabilities or operating system flaws, attackers can potentially escape browser sandboxes and gain broader access to targeted systems.

Read Chrome advisory HERE.

Memory Safety Continues to Challenge Browser Security

The latest Chrome update also addresses 26 high-severity vulnerabilities spanning multiple categories, including:

Additional use-after-free flaws

Heap buffer overflow vulnerabilities

Out-of-bounds read conditions

Insufficient data validation issues

Incorrect security user interface implementations

Uninitialized memory usage defects

Other memory management weaknesses

These types of vulnerabilities are particularly significant because modern web browsers process enormous volumes of untrusted content daily, including websites, advertisements, scripts, multimedia files, and browser extensions.

Attackers routinely attempt to exploit browser flaws through malicious websites, phishing campaigns, compromised advertising networks, and drive-by download attacks that require little or no user interaction.

While Google has not disclosed technical details for the vulnerabilities, the company traditionally withholds extensive information until the majority of users have installed security updates. This practice is intended to reduce the risk of threat actors developing working exploits before organizations and consumers can patch affected systems.

Notably, Google stated that it is not aware of any of the newly disclosed vulnerabilities being actively exploited in the wild at the time of publication.

Mozilla Releases Firefox 152 Security Update

Mozilla simultaneously released Firefox 152 to the stable channel, delivering fixes for 40 vulnerabilities affecting the browser.

Among the patched flaws are 13 vulnerabilities categorized as high severity, including weaknesses involving:

Use-after-free memory corruption

Privilege escalation

Sandbox escape mechanisms

Incorrect boundary condition handling

Just-In-Time (JIT) compiler miscompilation

General memory safety defects

Mozilla warned that several of the memory safety vulnerabilities could potentially allow arbitrary code execution under certain circumstances.

Arbitrary code execution vulnerabilities are considered among the most serious security risks because they may enable attackers to run malicious code on victim systems, potentially leading to malware infections, credential theft, ransomware deployment, or unauthorized access to sensitive information.

The Firefox update reflects Mozilla's continued focus on strengthening browser security as sophisticated attackers increasingly target browser engines and rendering components

Read Mozilla advisory HERE.

Browser Exploitation Remains a Major Threat

Modern browsers represent one of the largest attack surfaces within enterprise and consumer environments. Because browsers serve as the primary gateway to cloud services, email platforms, collaboration tools, financial applications, and business systems, successful browser exploitation can provide attackers with a valuable foothold inside networks.

Researchers have observed a growing trend in which attackers chain multiple vulnerabilities together. A typical attack sequence may involve:

Exploiting a browser memory corruption vulnerability. Escaping the browser sandbox. Leveraging an operating system privilege escalation flaw. Establishing persistence on the compromised device.

Such exploit chains have been observed in both cybercriminal campaigns and advanced state-sponsored operations targeting government agencies, journalists, critical infrastructure operators, and enterprise organizations.

Browser vendors have responded by implementing increasingly sophisticated defensive technologies, including sandboxing, site isolation, memory protection mechanisms, exploit mitigations, and vulnerability reward programs designed to encourage responsible disclosure.

Additional Security Updates Released

Beyond Firefox 152, Mozilla has also issued security updates for several related products, including Firefox Extended Support Release (ESR), Thunderbird, and Firefox for iOS.

Organizations utilizing ESR versions, which are commonly deployed in enterprise environments due to their longer support lifecycle, are encouraged to prioritize updates to ensure protection against the newly disclosed vulnerabilities.

Email users running Thunderbird should also apply available patches, as some of the underlying browser engine vulnerabilities can affect email rendering and web content processing functionality within the application.

Update Immediately

Rapid patch deployment for browser vulnerabilities is critical, particularly those involving memory corruption and potential remote code execution.

Historically, browser vulnerabilities have become attractive targets shortly after public disclosure, as threat actors analyze security updates to reverse-engineer patches and identify the underlying flaws.

The period immediately following vendor disclosure is often viewed as a critical window during which unpatched systems face heightened risk.

Organizations are therefore advised to verify that automatic browser updates are functioning correctly across managed devices and to deploy the latest Chrome and Firefox releases as soon as operationally feasible.

Individual users should also update their browsers immediately. Restart applications to ensure patches are applied successfully and enable automatic updates whenever possible.

While neither Google nor Mozilla has reported active exploitation of the newly disclosed vulnerabilities, cybersecurity professionals caution that browser flaws capable of enabling remote code execution remain among the highest-priority risks facing internet users and enterprise defenders alike.

As threat actors continue to target web browsers as a pathway into personal and corporate environments, timely patching remains one of the most effective defenses against compromise.