Google’s in-house AI agent discovers critical vulnerability in Chrome

Google has fixed a critical vulnerability in Chrome versions 139.0.7258.154/155 for Windows and macOS and 139.0.7258.154 for Linux. According to Google, the vulnerability has not yet been exploited for attacks in the wild. The manufacturers of other Chromium-based browsers are expected to follow suit in the coming days.

In the Chrome Releases blog post, Krishna Govind presents the eliminated vulnerability (CVE-2025-9478), which is treated as if it were discovered by external security researchers, but Google Big Sleep is named as the discoverer of the vulnerability. This is an “AI” tool based on Gemini for detecting security vulnerabilities and it’s designed to detect vulnerabilities on its own without human assistance.

As the security findings of such “AI” tools should always be treated with caution, they’re double-checked by experts. Google doesn’t provide any information on how often Big Sleep makes a misdiagnosis. In this case, however, Big Sleep has clearly not made a mistake—and Google even classifies CVE-2025-9478 (a use-after-free vulnerability in the Angle graphics library) as critical.

In the previous security update for Chrome from a week ago, Google also closed a security vulnerability discovered by Big Sleep. Whether such “AI” tools will be needed in the near future to find security vulnerabilities in program code generated by “AI” remains to be seen.

Chrome usually updates itself automatically when a new version is available. You can trigger the update check manually using the menu item Help > About Google Chrome. Google has also provided Chrome for Android 139.0.7258.158. The Android version fixes the same vulnerabilities as the desktop version.

Google plans to release Chrome 140 in the coming week, while a small number of users are already getting a taster this week.

Other Chromium-based browsers

The manufacturers of other Chromium-based browsers are now required to follow suit with updates. Microsoft Edge, Brave, and Vivaldi are currently at last week’s security level. However, Vivaldi doesn’t use Chromium 139, but Chromium 138 from the Extended Stable Channel.

Despite the crash fix update on August 25th, Opera is still using the outdated Chromium 135, for which Google has not provided any updates since the end of April. Opera’s next version, which is still equipped with Chromium 137 (from mid-June), is still in the beta test stage and could appear just in time for the release of Chrome 140.