You are currently viewing Chrome 142 Released: High-Severity V8 Flaws Fixed, $100K in Rewards Paid

Chrome 142 Released: High-Severity V8 Flaws Fixed, $100K in Rewards Paid

Google has released Chrome 142, addressing a total of 20 security flaws, including two high-severity vulnerabilities affecting the V8 JavaScript engine. The company awarded a total of $100,000 in bug bounties to researchers who reported these critical issues.

Vulnerability Details

The two high-severity vulnerabilities in the V8 JavaScript engine are tracked as CVE-2025-12428 and CVE-2025-12428. Both are attributed to type confusion issues within the engine. Google awarded $50,000 each to Man Yue Mo of GitHub Security Lab and Aorui Zhang for reporting these flaws.

Additionally, Google awarded $10,000 for CVE-2025-12430, a Media object lifecycle vulnerability reported by round.about.

Interestingly, three high-severity V8 flaws discovered by Google’s Big Sleep AI agent did not receive any bug bounty rewards.

Other Fixes

In addition to the high-severity V8 flaws, Chrome 142 also includes fixes for multiple medium-severity vulnerabilities in various components, including Omnibox, Storage, Extensions, Ozone, PageInfo, App-Bound Encryption, and V8. Several low-severity flaws in Autofill, WebXR, Fullscreen UI, Extensions, and SplitView were also addressed.

Type Confusion Vulnerability Pattern

Type confusion vulnerabilities in V8 have become a recurring attack vector for threat actors in 2025. These vulnerabilities are particularly valuable to attackers because they enable arbitrary code execution through low-friction delivery mechanisms (malicious web pages) with minimal user interaction beyond visiting a compromised site.

Affected Versions and Mitigation

The vulnerabilities affect Google Chrome 142 and earlier versions, as well as the V8 JavaScript engine. The patched version, Chrome 142.0.7444.59/60, is rolling out for Linux, Windows, and macOS, with slight version differences across platforms. Users are advised to update to the latest version to mitigate the risks.

TTPs: Tactics, Techniques, and Procedures

While the article does not provide specific TTPs, type confusion vulnerabilities in JavaScript engines are often exploited to achieve arbitrary code execution. This aligns with the following MITRE ATT&CK tactic and technique:

  • TA0002 – Execution: Exploiting the vulnerability to execute arbitrary code.
  • T1203 – Exploitation for Client Execution: Tricking a user into visiting a malicious website that exploits the vulnerability.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.