Google has confirmed a critical security flaw in Chrome that affects billions of users across Windows, Mac, Linux, and Android platforms.
The vulnerability, which could allow attackers to execute arbitrary code through specially crafted web pages, prompted an urgent update release to address the issue before widespread exploitation.
Use-After-Free Vulnerability in Chrome Lens
The security flaw tracked as CVE-2025-2476 has been classified as a critical use-after-free (UAF) memory vulnerability in Chromeβs Lens component.
It was discovered and reported by security researcher SungKwon Lee of Enki Whitehat on March 5, 2025.
This severe issue could potentially allow remote attackers to exploit heap corruption via specially crafted HTML pages.
Use-after-free vulnerabilities represent a particularly dangerous class of memory management flaws that occur when a program continues to reference memory after it has been freed.
In practical terms, when malicious data is introduced before memory consolidation occurs, attackers can potentially leverage this condition to execute arbitrary code on affected systems.
The MITRE Common Weakness Enumeration database characterizes use-after-free vulnerabilities as scenarios where memory is improperly reused after being released, potentially leading to system compromise.
Googleβs AddressSanitizer, a memory error detection tool, is specifically designed to identify such flaws during development phases, highlighting their significance in modern browser security.
Security Implications for UsersSuccessful exploitation of this vulnerability could allow attackers to execute arbitrary code with the same privileges as the logged-in user.
This means that depending on the userβs permission level, attackers could potentially:
Install unauthorized programsAccess, modify, or delete sensitive dataCreate new accounts with full user rightsTake complete control of the affected systemThe vulnerability affects Chrome versions before 134.0.6998.117/.118 on Windows and Mac and 134.0.6998.117 on Linux platforms.
While no active exploitation has been confirmed in the wild, Googleβs critical rating underscores the urgency of users updating immediately.
On March 19, 2025, Google released security updates to address the vulnerability. The stable channel has been updated to version 134.0.6998.117/.118 for Windows and Mac and 134.0.6998.117 for Linux users.
The Extended Stable channel has also been updated to version 134.0.6998.89 for Windows and Mac systems.
Google has implemented a standard practice of restricting detailed vulnerability information until a majority of users have updated their browsers, providing a critical protection window for users to secure their systems.
How to Protect Your SystemUsers are strongly advised to update their Chrome installations immediately by:
Opening Chrome and clicking the three-dot menu in the top-right cornerNavigating to Help > About Google ChromeAllowing Chrome to automatically check for and install the latest updateRestarting the browser to complete the update processThe update will roll out over the coming days and weeks, but users should not wait for automatic updates and should manually verify they are running the latest version, especially given the critical nature of this security issue.