Google Chrome 142 Fixes 20 Security Vulnerabilities, Pays $130,000 in Bounties

Google has released Chrome version 142 to the stable channel, addressing 20 security vulnerabilities across multiple components of the browser. The update includes seven high-, eight medium-, and five low-severity flaws, reflecting Google’s ongoing focus on fortifying the world’s most widely used browser against exploitation.

The company awarded a total of $130,000 in bug bounty rewards to security researchers for responsibly disclosing these issues.

High-Severity Vulnerabilities

Four of the most serious flaws patched in Chrome 142 affect V8, Chrome’s JavaScript and WebAssembly engine — a common target for attackers due to its central role in executing code within the browser.

Two of these vulnerabilities earned significant bounties, each $50,000, underscoring their potential severity:

• CVE-2025-12428 – A type confusion vulnerability in V8, reported by Man Yue Mo of GitHub Security Lab.

• CVE-2025-12429 – An inappropriate implementation issue in V8, reported by Aorui Zhang.

Both issues were deemed critical enough that, if exploited, they could enable remote code execution (RCE) — allowing an attacker to run arbitrary code within the browser context.

Google also fixed two additional high-severity vulnerabilities:

• An object lifecycle flaw in Media, which earned a $10,000 bounty.

• An inappropriate implementation in Extensions, which received a $4,000 bounty.

Interestingly, three high-severity V8 bugs were not credited to human researchers but instead discovered by Google’s Big Sleep AI agent, an experimental system created by DeepMind and Project Zero in late 2024 to autonomously identify software vulnerabilities.

Medium- and Low-Severity Fixes

The update also resolves several medium-severity vulnerabilities affecting components like Storage, Omnibox, Ozone, App-Bound Encryption, Extensions, and PageInfo.

Low-severity bugs were addressed in areas including Autofill, WebXR, Fullscreen UI, SplitView, and additional Extension-related features.

While Google confirmed a total payout of $130,000, it noted that five vulnerabilities were not eligible for rewards, and two others remain under evaluation for potential payouts.

No Active Exploitation Reported

Google stated that no vulnerabilities patched in Chrome 142 have been exploited in the wild, meaning users are not currently at risk from these specific issues.

However, users are strongly encouraged to update Chrome immediately to ensure full protection. The latest version numbers are:

• Linux: 142.0.7444.59

• Windows: 142.0.7444.59/60

• macOS: 142.0.7444.60

Conclusion

The Chrome 142 release reflects both the maturity of Google’s vulnerability reward program and the growing integration of AI-assisted security research. With human researchers and AI systems now working in tandem to identify complex flaws, the browser’s defense posture continues to evolve — ensuring that even advanced threats are detected and patched before reaching users.