Updated October 24 with details of a new password stealer that can bypass the Google Chrome AppBound encryption protections, as well as further information concerning the emergency security update for all Chrome browser users, apart from the 400 million running the iOS app.
If you are one of the 3 billion users of the Chrome web browser across the Windows, Mac, Linux and Android ecosystems, then you need to ensure you take note as Google issues the second emergency security update in the space of a week. Here’s everything you need to know about CVE-2025-12036, and how to get protected from the potential remote code execution attacks it can open unpatched users to.
Google Confirms Second Emergency Chrome Security Update In The Space Of A Week
No sooner has Google taken the unusual step of releasing a ‘single security fix’ update for all users of the world’s most popular web browser, than a second emergency update has been released to deal with yet another high-priority vulnerability that could leave users open to remote code attacks.
The latest update addresses CVE-2025-12036, a highly dangerous vulnerability that impacts the browser’s V8 JavaScript rendering engine, with the power to execute arbitrary malicious code with no further user input than visiting a compromised web page.
Srinivas Sista, from the Google Chrome team, has confirmed that the vulnerability was found by Google’s own AI-powered Big Sleep security resource. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Sista said, adding that the security fix will roll out to all users across “the coming days/weeks.”
Well, when Google says all users, it means everyone except for those who have the Chrome browser on their iPhones. As is always the case, which speaks volumes to the security of the device itself, there is no security update for iOS users. Of course, I have to say that it always amazes me that it is reported there are between 300 and 400 million people using Chrome on iOS, which equates to somewhere between 30 and 40 percent in total. Why anyone would opt for Chrome rather than the privacy-centric Safari browser app is beyond me, but hey ho. Google has, however, updated the Chrome iOS app to version 142.0.7444.46, but, Sista said, this only “includes stability and performance improvements.”
New Google Chrome Browser Password Stealer Confirmed — What To Know
While Google has been diligently updating Chrome against the latest security threats, cybercriminals have also been busy updating threats that can impact users of the world’s most popular web browser client. Take, for example, the threat actors behind the Vidar Stealer malware-as-a-service platform that, newly published research has revealed, has just been updated to include the most advanced anti-analysis protections to thwart security protections, and, in the same vein, what have been described as sophisticate measures to ensure the malware can grab web browser credentials despite Chrome employing the latest AppBound encryption techniques to prevent this.
Trend Micro security researchers have now confirmed that “the developer known as ‘Loadbaks’ announced the release of Vidar Stealer v2.0 on underground forums.” This evolution of a platform that has been around since 2018, Trend Micro suggested, could be an attempt by its developers to position themselves to “occupy the space left after Lumma Stealer’s decline.”
The malicious actors behind Vidar Stealer v2.0, meanwhile, described it as being not just an update but a new era. As well as improvements in speed and stability, they claimed, it features “an automatic morpher,” making each and every build unique and helps sidestep the Chrome AppBound encryption protections. Trend Micro confirmed that binary analysis revealed the malware to be capable of comprehensive browser credential extraction capabilities, “targeting both traditional browser storage methods and Chrome’s latest security protections across multiple browser platforms, including Chrome, Firefox, Edge, and other Chromium-based browsers.”
Another of the changes is that it now uses a multi-threading system to adjust its performance based on the victim’s computer specifications, meaning it can scale operations easily “without overwhelming the target system.” Trend Micro said that this allows Vidar Stealer 2.0 to “steal data from multiple sources simultaneously – such as browsers, cryptocurrency wallets, and files – rather than processing them one at a time.”
I have reached out to Google for a statement. And will update the article in due course, should one be forthcoming.
How To Protect Google Chrome From CVE-2025-12036 Right Now
The good news is that it’s easy to protect your Google Chrome browser from the potential impact of CVE-2025-12036 immediately. To update your Chrome browser client to 141.0.7390.122/.123 for Windows and Mac, 141.0.7390.122 for Linux, and 141.0.7390.122 for Android, just follow these instructions.
As the update process is automated, once it has arrived in your browser, you should see a flag that lets you know it’s there. If you do not see this, then head for the settings menu and select About Google Chrome. This will kickstart the update process. Ensure you follow the instructions correctly, especially when it comes to relaunching your Chrome browser. If you do not, then the update will not be applied and won’t activate the security patch.
Android users should also note that, as I reported earlier this year, Chrome security updates would no longer be available to some 300 million devices as of August 5. The latest emergency update is a prime example of why ensuring that your device is both capable of, and actually is, running Android 10.0 or later. Earlier versions are the ones that no longer get security updates. Ellen T, a Chrome support manager at Google, has officially confirmed in a Google Chrome community posting that “Chrome 138 is the last version of Chrome that will support Android 8.0 and Android 9.0,” so you know what to do if that includes you!