Google has patched a critical use-after-free vulnerability in the Chrome browser that could lead to code execution. The security researcher who discovered it received a $43,000 reward under the bug bounty program.
This week, an update for Chrome was released that fixed two issues discovered by external researchers.
The critical vulnerability in the ServiceWorker component, for which the aforementioned reward was paid, was assigned the identifier CVE-2025-10200 and was discovered by independent bug hunter Luben Yang (Looben Yang).
The issue is described as a use-after-free, and this type of vulnerability occurs when a program attempts to access memory that has already been freed. Exploiting such bugs typically leads to placing malicious code into the freed memory, potentially enabling arbitrary code execution and full system compromise.
The browser also fixed vulnerability CVE-2025-10201, discovered by Sahan Fernando and an anonymous researcher. This issue was related to an improper implementation in Mojo, and Google paid the specialists a $30,000 reward for it.
Although the browser developers report no exploitation of these vulnerabilities in real-world attacks, users are advised to update their browsers as soon as possible. The patches are included in Chrome version 140.0.7339.127/.128 for Windows, version 140.0.7339.132/.133 for macOS, and 140.0.7339.127 for Linux.
Although the sums the researchers received were quite substantial, recall that last month a bug hunter using the handle Micky received a record bounty from Google. The specialist discovered a Chrome bug that allowed the browser sandbox to be bypassed and earned $250,000 through the company’s bug bounty program.