Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities

Chrome 136 and Firefox 138 were released in the stable channel with patches for multiple high-severity vulnerabilities.

Google and Mozilla on Tuesday announced the promotion of Chrome 136 and Firefox 138 to their stable channels with patches for over a dozen vulnerabilities, including multiple high-severity bugs.

Chrome 136 was rolled out with eight security fixes, four of which address flaws reported by external researchers.

The most severe of the externally reported security defects is CVE-2025-4096, a high-severity heap buffer overflow issue in HTML that earned the reporting researcher a $5,000 bug bounty reward.

The remaining three vulnerabilities reported by external researchers include medium-severity out-of-bounds memory access and insufficient data validation issues in DevTools, and a low-severity inappropriate implementation in DevTools.

Google says it paid out $2,000 rewards for the medium-severity bugs and a $1,000 bug bounty for the low-severity one.

The latest Chrome iteration is rolling out ...