Google has rolled out Chrome 134 to the stable channel for Windows, macOS, and Linux, addressing 14 security vulnerabilities—including high-severity flaws that could enable remote code execution or crashes.
The update, version 134.0.6998.35 for Linux, 134.0.6998.35/36 for Windows, and 134.0.6998.44/45 for macOS, follows weeks of testing and includes critical fixes for vulnerabilities in components like V8, PDFium, and Media Stream.
External researchers contributed nine of the patches, earning up to $7,000 in bug bounties, while Google’s internal teams resolved five additional issues through audits and automated tools.
Security Enhancements and External Collaborations
The most severe vulnerability, CVE-2025-1914, earned researchers Zhenghang Xiao and Nan Wang a $7,000 bounty for identifying an out-of-bounds read in Chrome’s V8 JavaScript engine.
This class of vulnerability often allows attackers to bypass security protocols or leak sensitive memory data.
Another critical fix, CVE-2025-1915, patched a path traversal flaw in DevTools that could expose local files, reported by Topi Lassila for a $4,000 reward.
Medium-severity issues dominated the update, including a use-after-free flaw in Profiles (CVE-2025-1916) reported by South Korea’s SSD Labs and an out-of-bounds read in PDFium (CVE-2025-1918) discovered by researcher “asnine.”
Notably, Khalil Zhani received two rewards totaling $3,000 for reporting implementation flaws in Browser UI and Permission Prompts (CVE-2025-1917 and CVE-2025-1923).
| CVE ID | Severity | Vulnerability Description |
| CVE-2025-1914 | High | Out-of-bounds read in V8 |
| CVE-2025-1915 | Medium | Path traversal in DevTools |
| CVE-2025-1916 | Medium | Use-after-free in Profiles |
| CVE-2025-1917 | Medium | Browser UI implementation flaw |
| CVE-2025-1918 | Medium | Out-of-bounds read in PDFium |
| CVE-2025-1919 | Medium | Out-of-bounds read in Media |
| CVE-2025-1921 | Medium | Media Stream implementation flaw |
| CVE-2025-1922 | Low | Selection implementation flaw |
| CVE-2025-1923 | Low | Permission Prompts implementation flaw |
Internal Safeguards and Ongoing Efforts
Google’s internal security teams addressed five additional vulnerabilities through tools like AddressSanitizer and Control Flow Integrity.
These efforts focused on hardening components such as networking stacks and DOM handling, though specific CVE identifiers remain undisclosed to prevent exploitation.
The company emphasized its commitment to “zero-day prevention” through continuous fuzzing and sandboxing improvements.
The update will deploy incrementally over the coming weeks. Users can manually trigger an update via Chrome > Help > About Google Chrome.
Enterprises on the Extended Stable Channel will receive versions 134.0.6998.36 (Windows) and 134.0.6998.45 (macOS).
Google temporarily restricted access to detailed bug reports until most users install the patches. Researchers are urged to report new issues via Chrome’s bug tracker, with bounties available through the Vulnerability Reward Program.
As exploit chains targeting browsers grow more sophisticated, timely updates are critical. Chrome 134 underscores the balance between open-source collaboration and behind-the-scenes hardening—a model increasingly adopted across the industry.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
