Google Chrome < 132.0.6834.83
Chrome 132 promotes to stable with 16 security fixes, headed by five High-severity bugs across V8, Navigation, Skia, Metrics and Tracing. Update Chrome to 132.0.6834.83 (Windows) or 132.0.6834.84 (Mac).
Each of the five High-severity items is independently sufficient for renderer-process code execution or heap corruption when a user navigates to an attacker-controlled page. Chained with a sandbox escape (a separate bug class Chrome has had several of in 2024–2025) any of them becomes a zero-click drive-by RCE on the host. The Medium-severity fenced-frames and navigation bugs additionally enable spoofing UI and bypassing origin checks — useful for phishing pages that need to look exactly like an internal management console.
Chrome 132 bundles 16 individually-tracked security defects. The High-severity set is the memory-safety core: CVE-2025-0434 (out-of-bounds memory access in V8), CVE-2025-0435 (inappropriate implementation in Navigation, which can enable URL-spoofing or origin-confusion), CVE-2025-0436 (integer overflow in the Skia graphics engine reachable from rasterising a crafted page), CVE-2025-0437 (out-of-bounds read in Metrics — heap corruption / information leak from a crafted page), and CVE-2025-0438 (stack buffer overflow in Tracing). The Medium-severity remainder covers race conditions in Frames, fullscreen-prompt bypass, fenced-frames sandboxing gaps, payments-handler logic flaws and extension data-validation issues. Several reporters were paid VRP bounties; one of the V8 bugs originated from TyphoonPWN 2024.
Probably yes if any of these apply:
Affected OS versions
Google promoted Chrome 132 to the stable channel on January 14, 2025. The release post explicitly notes that "Google is aware that an exploit for CVE-2025-X exists in the wild" is NOT present for any of the fixes — none were exploited at patch time. Coverage by SecurityWeek, Lookout and the Hong Kong Computer Emergency Response Team coordination centre flagged it as a routine but unusually large monthly cumulative — most months land four to eight CVEs; 16 in one release is a meaningful step up. Enterprise change-management teams typically deferred this one until the following day to let the early-stable noise settle.
Manual remediation steps
⏱ 15 minutes per host (browser relaunch only)Check current Chrome version
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon' -ErrorAction SilentlyContinue).version
(Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon' -ErrorAction SilentlyContinue).version
Update Chrome
# Trigger Google Update immediately:
$gu = "$env:ProgramFiles\Google\Update\GoogleUpdate.exe"
if (-not (Test-Path $gu)) { $gu = "${env:ProgramFiles(x86)}\Google\Update\GoogleUpdate.exe" }
if (Test-Path $gu) { & $gu /ua /installsource scheduler }
# Or open chrome://settings/help in any open Chrome window and click Relaunch.
Enterprise deployment
Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon' -ErrorAction SilentlyContinue |
Select-Object @{n='Host';e={$env:COMPUTERNAME}}, version
Verify
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
# Must show 132.0.6834.83 or later.
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References