Google Chrome 134 Security Update: 14 Vulnerabilities Patched
Google has rolled out Chrome 134 to the stable channel, delivering critical security updates that resolve 14 vulnerabilities, including high-severity flaws that could enable browser crashes, data leaks, or arbitrary code execution.
The update (versions 134.0.6998.35 for Linux, 134.0.6998.35/36 for Windows, and 134.0.6998.44/45 for macOS) follows Google’s standard phased release strategy. Extended stable channel users receive builds 134.0.6998.36 (Windows) and 134.0.6998.45 (macOS).
The patch notably addresses exploits in core components like the V8 JavaScript engine, DevTools, and PDFium, while implementing stricter boundary checks and memory management protocols.
High-Severity Vulnerability
The most severe flaw, CVE-2025-1914, is an out-of-bounds (OOB) read vulnerability in V8—Chrome’s JavaScript execution engine. OOB read errors occur when processes access memory outside allocated buffer boundaries, potentially exposing sensitive data or destabilizing renderer processes. Google’s fix introduces enhanced array bounds validation during Just-In-Time (JIT) compilation phases, hardening against speculative execution attacks. Researchers Zhenghang Xiao (@Kipreyyy) and Nan Wang (@eternalsakura13) earned a $7,000 bounty for identifying the vulnerability.
Learn more about Google's V8 JavaScript engine.
Medium-Severity Vulnerabilities
The update resolves CVE-2025-1915, a path traversal flaw in DevTools that allowed unauthorized file system access via malformed debugging requests. Insufficient sanitization of user-supplied paths in the DevTools::FileHelper class could bypass sandbox restrictions. Google has implemented canonicalization checks using base::FilePath::IsAbsolute() and base::NormalizeFilePath() to validate path integrity. Researcher Topi Lassila discovered this vulnerability.
For more details on Chrome DevTools, visit the developer documentation.
CVE-2025-1916 is a use-after-free (UAF) vulnerability in Chrome’s profile management system that has a medium severity. UAF flaws arise when a program continues using a memory pointer after deallocating the underlying resource, creating opportunities for heap corruption. Google’s patch modifies the lifecycle management of profile objects, ensuring proper garbage collection sequencing. This vulnerability was discovered by parkminchan of SSD Labs Korea.
The release prioritizes CVE-2025-1917, a medium-severity flaw in Chrome’s Browser UI implementation on Android. As reported by Khalil Zhani, this vulnerability allowed attackers to spoof UI elements like permission prompts via crafted origin strings. Attackers could mimic legitimate sites to trick users into granting unnecessary permissions. Google’s fix introduces rigorous url::Origin validation in the PermissionRequestManager, ensuring dialog content matches actual request origin.
Read about Android UI development.
PDFium, Chrome’s PDF rendering engine, received patches for CVE-2025-1918, an OOB read during XFA form parsing. The vulnerability stemmed from miscalculations in the CXFA_FFWidget::CalculateWidgetAccData() method, which failed to validate childNode indices against the pChildren array’s actual length. The fix introduces boundary checks using DCHECK_LT macros before array accesses. The vulnerability was reported by asnine.
Explore PDFium on Google Source.
Media component updates address CVE-2025-1919, where improper handling of fragmented MP4 (fMP4) streams could trigger OOB reads in the mp4::BoxReader class. Google has restructured the box validation logic to reject malformed stsz (sample size) atoms that declare inconsistent sample counts. The vulnerability was reported by researchers @Bl1nnnk and @Pisanbao.
Similarly, CVE-2025-1921 patches an inappropriate implementation in Chrome’s Media Stream API. Researcher Kaiido identified that malformed WebRTC configurations could bypass stream isolation safeguards, enabling cross-origin data leaks. The update strengthens the MediaStreamTrack validation logic, enforcing same-origin checks for track sources.
Learn about WebRTC.
Low-Risk Vulnerabilities
Lower-severity patches include CVE-2025-1922, an input sanitization flaw in text selection handlers, and CVE-2025-1923, which addressed permission prompt spoofing via crafted origin strings. Researcher Khalil Zhani earned dual bounties for identifying UI inconsistencies in permission dialogs, prompting Google to adopt stricter url::Origin validation in the PermissionRequestManager class.
Google’s internal security teams contributed additional fixes through audits and fuzzing frameworks. These efforts optimized Control Flow Integrity (CFI) policies in the renderer process and hardened IPC message validation in the GPU subsystem.
Upgrade Recommendations
Users are advised to manually trigger updates via chrome://settings/help or enable automatic background updates. Enterprise administrators can deploy the latest builds through GPO or Chrome Browser Cloud Management consoles.
Google has temporarily restricted access to detailed bug reports until most users adopt the patched versions—a standard practice to prevent exploit weaponization. The company also acknowledged contributions from 14 external researchers, disbursing over $23,500 in rewards through its Vulnerability Reward Program (VRP).
For more information on Google's Vulnerability Reward Program, visit their website.
This release underscores Chrome’s layered security model, combining memory safety mitigations, rigorous fuzzing, and proactive researcher collaboration to maintain defense against evolving web-based threats.
Stay updated on the latest Chrome Releases.