Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025-20140-1 Final 1 1 2025-12-05T04:56:10Z current 2025-12-05T04:56:10Z 2025-12-05T04:56:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: Changes in chromium: Chromium 143.0.7499.40 (boo#1254429): * CVE-2025-13630: Type Confusion in V8 * CVE-2025-13631: Inappropriate implementation in Google Updater * CVE-2025-13632: Inappropriate implementation in DevTools * CVE-2025-13633: Use after free in Digital Credentials * CVE-2025-13634: Inappropriate implementation in Downloads * CVE-2025-13720: Bad cast in Loader * CVE-2025-13721: Race in v8 * CVE-2025-13635: Inappropriate implementation in Downloads * CVE-2025-13636: Inappropriate implementation in Split View * CVE-2025-13637: Inappropriate implementation in Downloads * CVE-2025-13638: Use after free in Media Stream * CVE-2025-13639: Inappropriate implementation in WebRTC * CVE-2025-13640: Inappropriate implementation in Passwords The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-43 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1254429 SUSE Bug 1254429 https://www.suse.com/security/cve/CVE-2025-13630/ SUSE CVE CVE-2025-13630 page https://www.suse.com/security/cve/CVE-2025-13631/ SUSE CVE CVE-2025-13631 page https://www.suse.com/security/cve/CVE-2025-13632/ SUSE CVE CVE-2025-13632 page https://www.suse.com/security/cve/CVE-2025-13633/ SUSE CVE CVE-2025-13633 page https://www.suse.com/security/cve/CVE-2025-13634/ SUSE CVE CVE-2025-13634 page https://www.suse.com/security/cve/CVE-2025-13635/ SUSE CVE CVE-2025-13635 page https://www.suse.com/security/cve/CVE-2025-13636/ SUSE CVE CVE-2025-13636 page https://www.suse.com/security/cve/CVE-2025-13637/ SUSE CVE CVE-2025-13637 page https://www.suse.com/security/cve/CVE-2025-13638/ SUSE CVE CVE-2025-13638 page https://www.suse.com/security/cve/CVE-2025-13639/ SUSE CVE CVE-2025-13639 page https://www.suse.com/security/cve/CVE-2025-13640/ SUSE CVE CVE-2025-13640 page https://www.suse.com/security/cve/CVE-2025-13720/ SUSE CVE CVE-2025-13720 page https://www.suse.com/security/cve/CVE-2025-13721/ SUSE CVE CVE-2025-13721 page openSUSE Leap 16.0 chromedriver-143.0.7499.40-bp160.1.1 chromium-143.0.7499.40-bp160.1.1 chromedriver-143.0.7499.40-bp160.1.1 as a component of openSUSE Leap 16.0 chromium-143.0.7499.40-bp160.1.1 as a component of openSUSE Leap 16.0 Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-13630 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13630.html CVE-2025-13630 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform privilege escalation via a crafted file. (Chromium security severity: High) CVE-2025-13631 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13631.html CVE-2025-13631 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in DevTools in Google Chrome prior to 143.0.7499.41 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High) CVE-2025-13632 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13632.html CVE-2025-13632 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-13633 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13633.html CVE-2025-13633 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143.0.7499.41 allowed a local attacker to bypass mark of the web via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-13634 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13634.html CVE-2025-13634 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) CVE-2025-13635 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13635.html CVE-2025-13635 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) CVE-2025-13636 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13636.html CVE-2025-13636 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass download protections via a crafted HTML page. (Chromium security severity: Low) CVE-2025-13637 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13637.html CVE-2025-13637 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Use after free in Media Stream in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) CVE-2025-13638 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13638.html CVE-2025-13638 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low) CVE-2025-13639 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13639.html CVE-2025-13639 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Inappropriate implementation in Passwords in Google Chrome prior to 143.0.7499.41 allowed a local attacker to bypass authentication via physical access to the device. (Chromium security severity: Low) CVE-2025-13640 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13640.html CVE-2025-13640 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-13720 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13720.html CVE-2025-13720 https://bugzilla.suse.com/1254429 SUSE Bug 1254429 Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-13721 openSUSE Leap 16.0:chromedriver-143.0.7499.40-bp160.1.1 openSUSE Leap 16.0:chromium-143.0.7499.40-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13721.html CVE-2025-13721 https://bugzilla.suse.com/1254429 SUSE Bug 1254429