Google fixes critical Chrome flaw, researcher earns $43K

Pierluigi Paganini
September 11, 2025

Google addressed a critical use-after-free vulnerability in its Chrome browser that could potentially lead to code execution.

A researcher earned $43000 from Google for reporting a critical Chrome vulnerability, tracked as CVE-2025-10200, in the Serviceworker component.

A use-after-free (UAF) occurs when a program accesses memory after it has been freed. This can cause crashes, data corruption, or enable exploits like remote code execution. Common in C/C++ programs, UAFs are frequent in browsers and OS software handling manual memory management.

The researcher Looben Yang reported the vulnerability to Google on August 22, 2025.
Google rolled out a Chrome update that addressed this issue and another bug, tracked as CVE-2025-10201. CVE-2025-10201 is an inappropriate implementation in Mojo, which is an inter-process communication (IPC) framework used by Google Chrome.

Researchers Sahan Fernando and an anonymous expert reported the flaw CVE-2025-10201 and earned $30000 from Google for reporting this issue.

The Chrome update is being released as version 140.0.7339.127/.128 for Windows, 140.0.7339.132/.133 for macOS, and 140.0.7339.127 for Linux.

Google did not reveal if any of these vulnerabilities have been actively exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts