Google has officially promoted Chrome 137 to the stable channel for Windows, Mac, and Linux platforms, marking a significant milestone in browser security and artificial intelligence integration. The Chrome team announced the release on May 27, 2025, with the update rolling out globally over the coming days and weeks.
Chrome 137.0.7151.55 for Linux and 137.0.7151.55/56 for Windows and Mac delivers substantial security improvements, addressing 11 critical vulnerabilities identified by both external researchers and internal security teams.
The update tackles several high-severity issues, including CVE-2025-5063, a use-after-free vulnerability in Compositing reported by an anonymous researcher on April 18, 2025, and CVE-2025-5280, an out-of-bounds write issue in V8 discovered by security researcher pwn2car on May 12, 2025.
Google has implemented a comprehensive bug bounty program, rewarding security researchers for their contributions. Notable payments include $4,000 for Maurice Dauerβs discovery of inappropriate implementation in the Background Fetch API, $2,000 for NDevTKβs FileSystemAccess API findings, and $1,000 for Mohit Rajβs identification of messaging vulnerabilities.
The company continues its commitment to transparency while maintaining responsible disclosure practices, restricting access to bug details until most users receive the security patches.
| CVE ID | Severity | Type | Description | Reported By | Bounty |
|---|---|---|---|---|---|
| CVE-2025-5063 | High | Use-after-free in Compositing | Heap corruption vulnerability via crafted HTML pages in rendering pipeline | Anonymous (2025-04-18) | TBD |
| CVE-2025-5280 | High | Out-of-bounds write in V8 | Memory corruption in JavaScript engine allowing potential remote code execution | pwn2car (2025-05-12) | TBD |
| CVE-2025-5064 | Medium | Background Fetch API flaw | Cross-origin data leakage through improper implementation of background fetch operations | Maurice Dauer (2021-11-29) | $4,000 |
| CVE-2025-5065 | Medium | FileSystemAccess API issue | UI spoofing attacks enabling malicious file operations through crafted dialog manipulation | NDevTK (2022-03-11) | $2,000 |
| CVE-2025-5066 | Medium | Messages implementation flaw | UI gesture-based spoofing vulnerability affecting Android Chrome users | Mohit Raj (2024-07-31) | $1,000 |
| CVE-2025-5281 | Medium | BFCache vulnerability | Potential cross-origin information leakage through improper back/forward cache handling | Jesper van den Ende (2025-05-12) | TBD |
| CVE-2025-5283 | Medium | libvpx use-after-free | Heap corruption in VP8/VP9 video processing via malicious media content | Mozilla (2025-05-22) | TBD |
| CVE-2025-5067 | Low | Tab Strip implementation | UI spoofing through crafted tab strip interactions | Khalil Zhani (2023-10-17) | $500 |
The most groundbreaking feature in Chrome 137 is the integration of Googleβs Gemini Nano large language model, which provides on-device artificial intelligence capabilities to combat sophisticated cyber threats.
This innovation targets tech support scams explicitly, which have become increasingly prevalent and sophisticated in their approach to deceiving users.
The AI-powered system operates entirely on usersβ devices, ensuring privacy while analyzing webpage content in real-time. When Chrome detects characteristic scam triggers, such as misuse of keyboard-lock APIs, Gemini Nano evaluates the pageβs intent by processing text, layout, and behavioral cues.
This approach allows Chrome to identify deceptive patterns and generate security signals for Googleβs Safe Browsing service, providing protection against threats that exist for fewer than 10 minutes on average.
Beyond security improvements, Chrome 137 introduces several significant web platform enhancements. The update includes support for floating-point color types in canvas rendering contexts, essential for high-precision applications such as medical visualization and high dynamic range content.
Additionally, the browser now supports SVG <use> elements that can reference external documentsβ root elements without requiring explicit fragment identifiers, streamlining web development workflows.
The release also implements Document-Isolation-Policy, enabling documents to achieve cross-origin isolation without deploying complex security headers, and adds Ed25519 cryptographic algorithm support to the Web Cryptography API.
Chromeβs dominance in the browser market, with approximately 65% worldwide market share across all platforms as of 2024, means these security enhancements will impact billions of users globally.
The integration of on-device AI represents a paradigm shift in browser security, moving from reactive blocklist-based defenses to proactive, intelligent threat detection.
This release demonstrates Googleβs commitment to leveraging artificial intelligence for cybersecurity while maintaining user privacy through on-device processing, setting new standards for browser security in an era of increasingly sophisticated cybe