Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Chrome V8 use-after-free security flaw (CVE-2025-9864)

Vulnerability
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-9864 is a high-severity use-after-free vulnerability in Chrome's V8 JavaScript engine that can lead to heap corruption and potential RCE from crafted HTML pages. Google says the flaw was patched in Chrome 140 and has no indication of in-the-wild exploitation. The issue was reported by the Yandex Security Team and remains relevant because browser users should update promptly.

Related Happenings

QuickLens and ShotBird malicious Chrome extension update chain

Malware Activity
First: 09.03.2026 12:28 Last: 09.03.2026 12:28 Sources 1

About this happening: The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...

Open Happening

QuickLens - Search Screen with Google Lens hit by network compromise

Incident
First: 28.02.2026 21:18 Last: 28.02.2026 21:18 Sources 1

About this happening: The **QuickLens - Search Screen with Google Lens** Chrome extension was **compromised** and used to **push malware** to about **7,000 users**, creating risk of **credential theft*...

Open Happening

GhostPoster malicious browser extension campaign across Chrome, Firefox, and Edge

Campaign
First: 17.01.2026 17:23 Last: 17.01.2026 17:23 Sources 1

About this happening: The **GhostPoster** campaign resurfaced with **17 malicious extensions** in **Chrome, Firefox, and Edge**, putting users at risk of **browser monitoring**, **affiliate-link hijack...

Open Happening

AI browsers indirect prompt injection via URL fragments HashJack security flaw

Vulnerability
First: 26.11.2025 12:15 Last: 26.11.2025 12:15 Sources 1

About this happening: **HashJack** is an **indirect prompt injection** vulnerability in **AI browsers** that hides attacker instructions after the **# symbol** in legitimate URLs, letting a normal-look...

Open Happening

Chromium Blink document.title crash security flaw

Vulnerability
First: 30.10.2025 16:45 Last: 30.10.2025 16:45 Sources 1

About this happening: **Brash** is a **Chromium Blink** vulnerability that can crash **Google Chrome** and other **Chromium-based browsers** in **15-60 seconds** by abusing unthrottled `document.title`...

Open Happening

Timeline

  1. 03.09.2025 17:29 2 articles · 8mo ago

    Google releases Chrome 140 to patch CVE-2025-9864

    Mitigation Patch Update

    Google released Chrome 140 to the stable channel, patching six vulnerabilities including CVE-2025-9864, a high-severity use-after-free in the V8 JavaScript engine reported by the Yandex Security Team. Google says there is no indication the flaw was exploited in the wild, and the update rolls out as 140.0.7339.80/81 for Windows and macOS, 140.0.7339.80 for Linux, and Chrome 140.0.7339.81 for the extended stable channel on Windows and macOS.

    Show sources
    Open in new tab