Chrome 143.0.7499.109/.110 update: the CVEs and what I’d do next

Browser patches break things. They also stop real attacks, and this one includes a High-severity fix with an exploit in the wild.

Google posted a Stable channel update on December 10, 2025. It moves Windows and macOS to 143.0.7499.109/.110, and Linux to 143.0.7499.109, and Google says the rollout will happen over the coming days and weeks.

What actually changed (not the marketing version)

I’ve watched teams approve “security and stability” updates without reading the CVE list, then scramble when an extension or SSO flow acts weird. So I start with the concrete bits from the release post, then I decide how fast to push.

• Windows and macOS: Update to 143.0.7499.109/.110.
• Linux: Update to 143.0.7499.109.
• Security fixes: The release post lists three fixes total, one High and two Medium.

The security fixes (CVE list you can forward to IT)

Ignore the GitHub commit count. It’s a vanity metric. I care about exploitability, and Google explicitly says one of these has an exploit in the wild.

• CVE-2025-14174 (High): Out of bounds memory access in ANGLE. Google says an exploit exists in the wild.
• CVE-2025-14372 (Medium): Use after free in Password Manager.
• CVE-2025-14373 (Medium): Inappropriate implementation in Toolbar.

If you only read one line: CVE-2025-14174 has an exploit in the wild. That usually means “move sooner than your normal browser patch window.”

Who should upgrade, and how paranoid to be

Depends on how you run Chrome. Home users can just update and relaunch. Enterprises should stage it unless the exploit note changes your risk tolerance.

• Home users: Update as soon as Chrome offers it, then relaunch the browser so the new build actually loads.
• Enterprise fleets: Pilot on a small group first, then roll out in waves. Some folks skip canaries for browser patches. I don’t, but I get it.
• High-risk users (admins, finance, anyone handling sensitive data): Treat this as urgent because of the in-the-wild exploit note.

How to upgrade and verify the exact build

This bit has bitten people. Chrome downloads the update, then sits there until a relaunch, and your “I updated” screenshot still shows the old version.

• Check and update: Open chrome://settings/help and let Chrome download the update.
• Finish the job: Relaunch Chrome when prompted, then re-check the version.
• Verify: Confirm you’re on 143.0.7499.109 or 143.0.7499.110 (Windows/macOS), or 143.0.7499.109 (Linux).
• Enterprise rollouts: Use Chrome Browser Cloud Management or your existing policies to stage and then expand the deployment.

Known issues (what the post says, and what it does not)

The Chrome Releases post does not list known issues for this update. I do not trust “known issues: none” from any project, so keep an eye on extension breakage and weird auth prompts after the relaunch.

Other stuff in this release: the usual.

Official reference

Read the original release post, including the CVE list and rollout note: Chrome Releases blog.

Official Resources

For the full details on the vulnerabilities fixed in this release, consult these official sources:

• Chrome 143 Beta announcement — Chrome for Developers blog with API changes and deprecations in this release cycle.
• Chrome Stable Channel Update — the official release post on the Chrome Releases blog with the full CVE list.
• CVE-2025-14174 on cve.org — the MITRE CVE record for the High-severity ANGLE out-of-bounds memory access with a known in-the-wild exploit.

Related Reading

• Chrome 143.0.7499.169 patch guide
• Chrome third-party cookie changes explained
• Chrome version health badges

Verify Chrome version from the command line

The GUI check at chrome://settings/help works for one machine. If you manage a fleet, you need something scriptable. Here is how to pull the version on each platform:

# macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Expected output: Google Chrome 143.0.7499.110

# Linux
google-chrome --version
# Expected output: Google Chrome 143.0.7499.109

# Windows (PowerShell)
(Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe").VersionInfo.FileVersion
# Expected output: 143.0.7499.110

Pipe this into your inventory tool or CMDB. If the version is lower than 143.0.7499.109, the machine is still vulnerable to CVE-2025-14174.

Enforce the update with Chrome enterprise policies

If you manage Chrome via Google Admin Console or group policy, you can force the update window tighter than the default “rollout over coming days and weeks.” Here is a JSON policy snippet for managed Chrome:

{
  "RelaunchNotification": 2,
  "RelaunchNotificationPeriod": 3600000,
  "RelaunchWindow": {
    "entries": [
      {
        "start": { "hour": 2, "minute": 0 },
        "duration_mins": 120
      }
    ]
  },
  "TargetVersionPrefix": "143.0.7499."
}

RelaunchNotification: 2 means “required relaunch.” The RelaunchNotificationPeriod gives users one hour (3,600,000 ms) before Chrome force-restarts. The RelaunchWindow limits that forced restart to 02:00-04:00 so you don’t interrupt meetings. Adjust the window to match your maintenance schedule.

Quick audit script for fleet compliance

For teams running SSH access to Linux machines or using a tool like Ansible, here is a one-liner to check which hosts are still on the old version:

# Check all hosts in your inventory
ansible all -m shell -a "google-chrome --version 2>/dev/null || echo 'Chrome not installed'"   | grep -v "143.0.7499.109\|143.0.7499.110\|Chrome not installed"
# Any output = hosts still on a vulnerable version

If you are not using Ansible, a simple SSH loop works:

for host in $(cat hosts.txt); do
  echo -n "$host: "
  ssh "$host" "google-chrome --version 2>/dev/null || echo 'N/A'"
done | grep -v "143.0.7499"

Run this daily until your fleet reaches full coverage. The in-the-wild exploit on CVE-2025-14174 means you want zero stragglers.

Monitor your Chrome versions with ReleaseRun

Instead of manually checking Chrome releases, you can track the current version and health status on our Chrome release tracker. We also provide embeddable Chrome health badges for your internal dashboards, and you can scan your security posture with our free security header analyzer.