Google releases Chrome 134, fixes 14 vulnerabilities

Lead Google has updated its Chrome browser to version 134, which fixes 14 vulnerabilities, including a critical bug that could lead to crashes, data leakage, or arbitrary code execution. Patch. The update is available for Windows, macOS, and Linux.

Chrome 134 (versions 134.0.6998.35/36 for Windows, 134.0.6998.44/45 for macOS, and 134.0.6998.35 for Linux) includes fixes for vulnerabilities in the V8 JavaScript engine, DevTools, and PDFium.

• The most serious vulnerability, CVE-2025-1914, is an out-of-bounds (OOB) read error in V8 that allowed access to memory outside the allocated buffer. Fixed with improved array bounds checking.
• CVE-2025-1915 – Vulnerability in DevTools that allowed attackers to gain unauthorized access to the file system. Fixed with file path checking.
• CVE-2025-1916 – Use-after-free (UAF) in the profile management system that could lead to memory corruption. Google has changed the garbage collection order to fix the issue.
• CVE-2025-1917 – A bug in the browser UI on Android that allowed attackers to simulate dialog boxes to steal access rights. Fixed with url::Origin checking.
• CVE-2025-1918 – A bug in PDFium when processing XFA forms. Fixed with array index checking.
• CVE-2025-1919 – A vulnerability in the Media API that allowed WebRTC stream limit bypassing has been fixed by strengthening security checks.

Google Chrome is actively improving in response to new threats. The Vulnerability Reporter Reward Program (VRP) encourages researchers to report vulnerabilities, and this update has brought in over $23,500 in rewards. Chrome can be updated manually using chrome://settings/help or by enabling automatic updates. Administrators should use GPO or Chrome Browser Cloud Management to deploy new versions.