Both Google Chrome and Mozilla Firefox just rolled out major updates this week, addressing a fresh batch of security vulnerabilities—some of them high severity with potential impact on real-world enterprise environments.

With the release of Chrome 136, Google patched eight security issues, including four reported by external researchers. The most critical among them, CVE-2025-4096, is a heap buffer overflow in HTML that could lead to serious exploitation. Google awarded a $5,000 bug bounty for this one alone.

Other Chrome fixes include:

• Out-of-bounds memory access
• Insufficient data validation in DevTools
• A low-severity inappropriate implementation in DevTools
  (those latter two earned $2,000 and $1,000 bounties respectively)

Chrome 136 is now available as:

• 136.0.7103.48/49 for Windows and macOS
• 136.0.7103.59 for Linux

On the Mozilla side, Firefox 138 landed with 11 security patches, including:

• Four high-severity flaws capable of privilege escalation, sandbox escapes, and potentially arbitrary code execution
• Six medium-severity issues tied to information leaks, file extension spoofing, memory corruption, CSRF, and other vectors
• A low-severity Android-specific bug

Mozilla confirmed these fixes also extend to Thunderbird 138, and updates are live for Firefox ESR and Thunderbird ESR as well.

So far, neither Google nor Mozilla has reported active exploitation in the wild, but the nature of the bugs—especially those tied to remote execution and privilege escalation—makes them worth watching closely. For teams managing browser security at scale, especially in environments where users access sensitive web apps or handle customer data, these kinds of updates are a regular reminder of how quick the threat surface evolves, even in tools we use every day.