PAN-SA-2026-0001 Chromium: Monthly Vulnerability Update (January 2026)
Exploit Maturity
UNREPORTED
Response Effort
MODERATE
Recovery
USER
Value Density
DIFFUSE
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Automatable
NO
User Interaction
ACTIVE
Product Confidentiality
HIGH
Product Integrity
HIGH
Product Availability
HIGH
Privileges Required
NONE
Subsequent Confidentiality
NONE
Subsequent Integrity
NONE
Subsequent Availability
NONE
Description
Palo Alto Networks incorporated the following Chromium security fixes into our products:
- https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_18.html
- https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html
- https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
- https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html
- https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html
- https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html
| CVE | CVSS | Summary |
|---|---|---|
| CVE-2025-12725 | Out of bounds read in WebGPU | |
| CVE-2025-12726 | Inappropriate implementation in Views | |
| CVE-2025-12727 | Inappropriate implementation in V8 | |
| CVE-2025-12728 | Inappropriate implementation in Omnibox | |
| CVE-2025-12729 | Inappropriate implementation in Omnibox | |
| CVE-2025-13042 | Inappropriate implementation in V8 | |
| CVE-2025-13223 | Type Confusion in V8 | |
| CVE-2025-13224 | Type Confusion in V8 | |
| CVE-2025-13630 | Type Confusion in V8 | |
| CVE-2025-13631 | Inappropriate implementation in Google Updater | |
| CVE-2025-13632 | Inappropriate implementation in DevTools | |
| CVE-2025-13633 | Use after free in Digital Credentials | |
| CVE-2025-13634 | Inappropriate implementation in Downloads | |
| CVE-2025-13635 | Inappropriate implementation in Downloads | |
| CVE-2025-13636 | Inappropriate implementation in Split View | |
| CVE-2025-13637 | Inappropriate implementation in Downloads | |
| CVE-2025-13638 | Use after free in Media Stream | |
| CVE-2025-13639 | Inappropriate implementation in WebRTC | |
| CVE-2025-13640 | Inappropriate implementation in Passwords | |
| CVE-2025-13720 | Bad cast in Loader | |
| CVE-2025-13721 | Race in v8 | |
| CVE-2025-14174 | Out of bounds memory access in ANGLE | |
| CVE-2025-14372 | Use after free in Password Manager | |
| CVE-2025-14373 | Inappropriate implementation in Toolbar | |
| CVE-2025-14765 | Use after free in WebGPU | |
| CVE-2025-14766 | Out of bounds read and write in V8 | |
| CVE-2026-0628 | Insufficient policy enforcement in WebView tag |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Prisma Browser | < 142.21.4.163 | >= 143.37.2.193 |
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 6.1 / CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
| CVE | Prisma Browser |
|---|---|
| CVE-2025-12725 | 142.21.4.163 |
| CVE-2025-12726 | 142.21.4.163 |
| CVE-2025-12727 | 142.21.4.163 |
| CVE-2025-12728 | 142.21.4.163 |
| CVE-2025-12729 | 142.21.4.163 |
| CVE-2025-13042 | 142.33.8.176 |
| CVE-2025-13223 | 142.33.8.176 |
| CVE-2025-13224 | 142.33.8.176 |
| CVE-2025-13630 | 143.12.4.110 |
| CVE-2025-13631 | 143.12.4.110 |
| CVE-2025-13632 | 143.12.4.110 |
| CVE-2025-13633 | 143.12.4.110 |
| CVE-2025-13634 | 143.12.4.110 |
| CVE-2025-13635 | 143.12.4.110 |
| CVE-2025-13636 | 143.12.4.110 |
| CVE-2025-13637 | 143.12.4.110 |
| CVE-2025-13638 | 143.12.4.110 |
| CVE-2025-13639 | 143.12.4.110 |
| CVE-2025-13640 | 143.12.4.110 |
| CVE-2025-13720 | 143.12.4.110 |
| CVE-2025-13721 | 143.12.4.110 |
| CVE-2025-14174 | 143.12.4.110 |
| CVE-2025-14372 | 143.12.4.110 |
| CVE-2025-14373 | 143.12.4.110 |
| CVE-2025-14765 | 143.18.4.147 |
| CVE-2025-14766 | 143.18.4.147 |
| CVE-2026-0628 | 143.37.2.193 |
Workarounds and Mitigations
No known workarounds exist for this issue.
CPE Applicability
- cpe:2.3:a:palo_alto_networks:prisma_browser:*:*:*:*:*:*:*:* is vulnerable from (including)143.37.2 and up to (excluding)143.37.2.193
Timeline
Initial Publication