A critical security hole in Chrome, uncovered by Google’s AI-based Big Sleep, highlights the rising role of automated threat detection. Google classifies this vulnerability as critical and urges all users to update. Other Chromium-based browsers are expected to follow soon.
Subscribe
Industry News
Security and Privacy Features
Google’s in-house AI agent discovers critical vulnerability in Chrome
Photo by Pcworld
Key Takeaways:
- Google discovered and patched a critical Chrome vulnerability, CVE-2025-9478.
- Big Sleep is an AI tool that detects flaws with minimal human assistance.
- Chrome users should update immediately to version 139.0.7258.154/155.
- Other Chromium-based browsers need to release similar patches.
- Opera lags behind, using older Chromium 135 with no updates since April.
Introduction
Google has fixed a critical vulnerability in Chrome, affecting versions 139.0.7258.154/155 on Windows, macOS, and Linux. The flaw, classified as CVE-2025-9478, was discovered by Big Sleep—Google’s in-house AI tool designed to detect security risks without human intervention.
The Use-After-Free Vulnerability
CVE-2025-9478 resides in Chrome’s Angle graphics library and involves a use-after-free bug. According to Google, the issue had not been exploited before it was detected. Since Google ranks the flaw as critical, users are strongly advised to install the available updates immediately.
Big Sleep’s Role
The vulnerability was “treated as if it were discovered by external security researchers,” yet Google credited Big Sleep for the discovery in its Chrome Releases blog post. Based on the Gemini platform, Big Sleep is built to identify security weaknesses on its own. Although Google does not reveal how frequently Big Sleep makes misdiagnoses, this instance was confirmed by human experts—proving the AI’s accuracy, at least in this case.
Staying Updated
Google’s browsers typically update themselves automatically, but users can trigger the update check through the Help > About Google Chrome option. Google has also rolled out a matching fix for Chrome on Android—version 139.0.7258.158—to address the same vulnerabilities.
Other Chromium-Based Browsers
Outside of Chrome, Microsoft Edge, Brave, and Vivaldi must follow suit to address the same vulnerability. Vivaldi is still using Chromium 138, and Brave and Edge are on last week’s security level with no immediate patch release noted at the time of this writing. Opera, however, lags behind significantly on Chromium 135, which Google stopped updating in April. Opera’s next version—featuring Chromium 137—is in beta and may be released around the time Chrome 140 arrives.
Looking Ahead
Chrome 140 is expected to roll out in the coming weeks, with a small swath of users already testing it. Alongside Google’s repeated emphasis on prompt user updates, the discovery of yet another critical vulnerability by an AI tool raises questions about how such automated systems may transform the future of cybersecurity—especially as AI-generated code becomes more prevalent.
