Google Chrome Releases
Google Chrome Releases

Chrome 143.0.7499.40 update: the CVEs, what to do, how to verify

Chrome 143.0.7499.40 update: the CVEs, what to do, how to verify I do not trust “routine browser updates.” This Chrome 143.0.7499.40 stable release ships security fixes, and you should treat it like one. I’ve watched orgs leave Chrome a few versions behind because “it auto-updates anyway,” then scramble when a V8 bug hits the news. […]

Jack Pauley December 9, 2025 6 min read

Chrome 143.0.7499.40 update: the CVEs, what to do, how to verify

I do not trust “routine browser updates.” This Chrome 143.0.7499.40 stable release ships security fixes, and you should treat it like one.

I’ve watched orgs leave Chrome a few versions behind because “it auto-updates anyway,” then scramble when a V8 bug hits the news. Chrome rolls out in waves, managed fleets lag, and suddenly your help desk phones start ringing about broken SSO right when you wanted a quiet week.

What actually changed in 143.0.7499.40

Google promoted Chrome 143.0.7499.40 to the Stable channel for Windows, macOS, and Linux, and it rolls out over days and weeks. That timeline matters if you run a managed environment, because “waiting for auto-update” often means “waiting until after the next incident review.”

  • Security fixes (13 issues): Google lists 13 security fixes in the Stable announcement, including multiple High severity items.
  • Full commit log: Google links a public changelog compare so you can inspect the non-security fixes commit-by-commit.
  • Bug detail restrictions: Google may restrict some bug links until most users update, so you might see limited details for a while.

Security fixes called out by Google (CVE list)

Here’s the part teams skip, then regret. These CVEs appear in the official Stable post for 143.0.7499.40.

  • CVE-2025-13630 (High, V8): Type confusion in V8.
  • CVE-2025-13631 (High, Google Updater): Inappropriate implementation in Google Updater.
  • CVE-2025-13632 (High, DevTools): Inappropriate implementation in DevTools.
  • CVE-2025-13633 (High, Digital Credentials): Use-after-free, reported as reachable via a crafted HTML page.
  • CVE-2025-13634 (Medium, Downloads): Inappropriate implementation in Downloads.
  • CVE-2025-13720 (Medium, Loader): Bad cast in Loader.
  • CVE-2025-13721 (Medium, V8): Race in V8.
  • CVE-2025-13635 (Low, Downloads): Inappropriate implementation in Downloads.
  • CVE-2025-13636 (Low, Split View): Inappropriate implementation in Split View.
  • CVE-2025-13637 (Low, Downloads): Inappropriate implementation in Downloads.
  • CVE-2025-13638 (Low, Media Stream): Use-after-free in Media Stream.
  • CVE-2025-13639 (Low, WebRTC): Inappropriate implementation in WebRTC.
  • CVE-2025-13640 (Low, Passwords): Inappropriate implementation in Passwords.

Some bug details and links may stay restricted until most users update. Plan your rollout without assuming you can read every root cause on day one.

Who should upgrade, and how fast

Everyone should update. Now the nuance.

If you manage a fleet, stage it. I’ve seen “browser patch” regress an extension and brick a login flow for a small group, and that small group always includes a VP on hotel Wi‑Fi. Some folks skip pilot rings for browser updates. I don’t, but I get it if you run a tiny shop with no MDM.

  • End users: Restart Chrome soon so auto-update can finish.
  • IT admins: Push to a pilot group first, then expand when crash reports and auth flows look normal.
  • High-risk environments: Treat High severity V8 fixes as urgent, especially on shared or exposed desktops.

How to upgrade (users)

🔔 Never Miss a Breaking Change

Get weekly release intelligence — breaking changes, security patches, and upgrade guides before they break your build.

✅ You're in! Check your inbox for confirmation.

Most installs update themselves. You still need the restart.

  • Restart Chrome: Close all Chrome windows, then reopen. Chrome often downloads updates silently and waits for you to restart.
  • Force a check: Open chrome://settings/help and let it check for updates.
  • Verify the version: Confirm you see 143.0.7499.40 after the restart.

How to upgrade (admins)

Here’s the thing. “Auto-update” and “managed rollout” rarely mean the same thing.

In most environments you will use your normal software deployment path, plus a staged rollout. Watch SSO, watch your top three extensions, and watch crash rates. If you cannot test your browser policies and extensions in staging, you should not be running Chrome at scale.

  • Stage the rollout: Start with 5% to 10% of devices for 48 to 72 hours, then expand.
  • Verify policy state: Check chrome://policy on pilot machines so you do not chase ghosts caused by an old policy.
  • Keep a rollback path: Document how you will pause or revert in your own tooling before you touch production.

Other stuff in this release: a pile of commits in the changelog, the usual.

Known issues

Google did not list known issues in the Stable announcement for this build as of Dec 2, 2025. That does not mean you will not find one.

  • If Chrome updates but feels “off”: Restart again, then test with extensions disabled before you blame the update.
  • If your help desk sees login failures: Test in a clean profile and confirm any enterprise SSO or proxy policies still apply.

Official links

Read Google’s Stable announcement and the full changelog before you push to every machine. If you’re reading this on Christmas break, bookmark it and come back.

  • Google announcement: Chrome Releases blog post for the Stable update.
  • Full changelog: Chromium compare log for 142.0.7444.176 to 143.0.7499.40.

There’s probably a better way to test this, but I still like a pilot ring plus a human doing three real logins before I hit “deploy.”

Frequently Asked Questions

How many security fixes are in Chrome 143.0.7499.40? Google lists 13 security fixes, including four rated High severity (CVE-2025-13630 through CVE-2025-13633), three Medium, and two Low. The most critical are a V8 type confusion bug and a use-after-free in Digital Credentials that is reachable via crafted HTML pages.

Should I update Chrome to 143.0.7499.40 immediately? Yes, especially in managed environments. The V8 type confusion (CVE-2025-13630) and the use-after-free in Digital Credentials (CVE-2025-13633) are both High severity and exploitable through web pages. Chrome rolls out in waves, so managed fleets should push the update rather than waiting for auto-update.

How do I verify my Chrome version after updating? Navigate to chrome://settings/help or chrome://version in the address bar. You should see “143.0.7499.40” or higher. On managed devices, check your fleet management console for rollout status, since auto-updates can lag behind by days or weeks.

Are the Chrome 143 CVE details publicly available? Partially. Google restricts some bug tracker links until most users have updated. The CVE identifiers and severity ratings are published in the Stable Channel update announcement, but full technical details may be limited for weeks after release.

More Google Chrome Articles

How-To Jan 17, 2026
Chrome Third Party Cookies Deprecated in 2026: Migration Playbook (CHIPS, Storage Access API, FedCM, Testing)
How-To Jan 10, 2026
Chrome Geolocation API Changes (2025–2026): Production Migration Playbook to Keep Location Working
Release Guide Jan 6, 2026
Chrome 144: fewer permission-hostage situations, plus the quiet death of Topics
Release Guide Dec 22, 2025
Chrome v143.0.7499.169: Stable Channel Maintenance
View all Google Chrome releases →