Critical Chrome Vulnerability Earns Specialist $43,000

Google has patched a critical use-after-free vulnerability in the Chrome browser that could have allowed remote code execution. The cybersecurity specialist who discovered the flaw received a $43,000 reward through Google’s bug bounty program.

This week’s Chrome update fixed two vulnerabilities reported by external researchers. The critical bug, located in the ServiceWorker component, was assigned the identifier CVE-2025-10200 and was discovered by independent bug hunter Looben Yang.

The flaw is categorized as a use-after-free vulnerability—a condition that arises when a program attempts to access memory that has already been freed. Exploiting such issues typically involves injecting malicious code into the freed memory, which can result in arbitrary code execution and full system compromise.

Google also patched CVE-2025-10201, identified by Sahan Fernando and an anonymous researcher. This vulnerability stemmed from an improper implementation in Mojo, and the researchers were awarded $30,000 for their findings.

Although Google has not observed these vulnerabilities being exploited in the wild, users are strongly advised to update Chrome immediately. The patches were released in:

• Windows: versions 140.0.7339.127/.128
• macOS: versions 140.0.7339.132/.133
• Linux: version 140.0.7339.127

While the payouts were significant, they fall short of the record set last month. At that time, a bug hunter known as Micky earned $250,000 for discovering a Chrome vulnerability that enabled sandbox escape—the largest Chrome bug bounty reward to date.