CVE-2025-0436

HighPublic PoC

Published: 15 January 2025

Published

15 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0051 66.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Security Summary

CVE-2025-0436 is an integer overflow vulnerability in the Skia graphics library used by Google Chrome prior to version 132.0.6834.83. The flaw enables potential heap corruption when rendering a crafted HTML page, as classified under CWE-472. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by luring a user to visit a malicious website containing the crafted HTML page, requiring user interaction such as clicking a link but no special privileges. Successful exploitation could allow the attacker to achieve high-impact corruption of the heap, potentially leading to arbitrary code execution and full compromise of the browser's confidentiality, integrity, and availability.

Google's stable channel update for desktop, announced via the Chrome Releases blog, patches this issue in version 132.0.6834.83 and later. Additional technical details are documented in the associated Chromium issue tracker. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.

Details

CWE(s): CWE-472

Affected Products

google

chrome

≤ 132.0.6834.83

References

https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html
Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/382786791
Exploit, Issue Tracking · chrome-cve-admin@google.com