22-05-2025
Google Chrome Users Told To Wait 7 Days For Urgent Security Update
This new Google security update has only been rolled out to some users.
Like most updates concerning high-severity security vulnerabilities, time is of the essence. It's why I have long urged Chrome users not to wait until any such update is eventually rolled out to them and to kickstart the process immediately instead. But now the odd decision has been taken to issue the latest Google Chrome security update on an early release basis. A what now? What this means is that the update will only roll out to 'a small percentage of users,' while the rest of us, the 3 billion of us, have to wait a week to get the same level of protection against attackers. Here's what you need to know and do.
Reporting on Google Chrome security updates is usually pretty straightforward: here are the vulnerabilities and their impact, here is the security update, install it. This is no ordinary Google Chrome update, though; it's what Google refers to as an 'Early Stable Update' instead.
The May 21 announcement appears fairly standard, in that it addresses several Chrome security vulnerabilities, five of which have Common Vulnerabilities and Exposures database entries, ranging from low to high severity. But that's where the normality ends.
The Google Chrome 137.0.7151.40/.41 for Windows and Mac users is actually only available for 'a small percentage of users,' according to Prudhvi Kumar Bommana, part of the Chrome team at Google, 'as part of our early stable release' program. What. The. Flipping. Heck?
Despite CVE-2025-5063, being a high-severity Google Chrome security restriction bypass vulnerability, which, if successfully exploited could lead to remote code execution, the majority of Chrome users are being told they need to wait another week before getting protected.
According to a 2022 Google announcement, the early stable version release of updates was introduced to 'monitor the release before it rolls out to all of our users.' Monitor for what, exactly? What Google described as any 'showstopping issue,' by which I assume they mean bugs. The idea being that any discovered with a serious impact can then be addressed 'while the impact is relatively small.'
Which is all well and good as nobody likes an update that barfs. Apart from the high-severity vulnerability that exists and all Chrome users are potentially vulnerable to exploitation until such a time, to be precise, when the rest of us can receive protection. I have reached out to Google for an explanation of why the early release was decided necessary in this case rather than an immediate global release. I also tried to kickstart the update using the Help|About Google Chrome menu option, but this wasn't playing ball, and the 137 update was not available to me.
