Google and Mozilla have released critical security updates for Chrome 137 and Firefox 139, patching a total of 21 vulnerabilities across the two browsers — including three rated as high severity. Users are strongly encouraged to update immediately, as these flaws could expose them to serious threats like code execution and memory corruption.
With Chrome 137, Google rolled out 11 security fixes, eight of which were reported by external researchers. Among them were two high-risk memory safety vulnerabilities: a use-after-free bug in the Compositing component (CVE-2025-5063) and an out-of-bounds write issue in the V8 JavaScript engine (CVE-2025-5280). Although Google has not shared full technical details, these types of bugs are known to be exploitable — potentially allowing attackers to run arbitrary code or crash the browser. Worse still, when paired with system-level flaws or elevated permissions, these issues could lead to sandbox escapes, a common tactic in advanced browser attacks.
Alongside these, Chrome also patched five medium-severity vulnerabilities affecting features like the Background Fetch API, FileSystemAccess API, Messages, BFCache, and libvpx. A low-severity issue in Tab Strip was also addressed. Google has already paid out $7,500 in bug bounty rewards, though final payouts for the high-severity vulnerabilities and some medium bugs are still pending.
Chrome 137 is now rolling out in phases: versions 137.0.7151.55 and 137.0.7151.56 are live for Windows and macOS users, while Linux users will receive version 137.0.7151.55.
Mozilla’s Firefox 139 patches 10 vulnerabilities, including a high-severity double-free bug in libvpx (no CVE yet assigned). This issue could have led to memory corruption and a crash — potentially exploitable in the right conditions. Other fixed flaws include six medium-severity bugs that posed risks like cross-origin data leaks, local code execution, XS-Leaks, and memory issues.
Mozilla also pushed updates across its extended support versions. Firefox ESR 128.11 patched eight of these flaws, while ESR 115.24 resolved four. Thunderbird 139 received fixes for all 10 vulnerabilities, and Thunderbird 128.11 got eight of them.
At the time of writing, there are no reports of these vulnerabilities being actively exploited. Still, browser security bugs are frequently targeted by attackers after disclosure. That’s why both companies stress the importance of updating as soon as possible to stay protected.
