CVE-2025-1006

High

Published: 19 February 2025

Published

19 February 2025

Modified

07 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Network in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted web app. (Chromium security severity: Medium)

Security Summary

CVE-2025-1006 is a use-after-free vulnerability (CWE-416) in the Network component of Google Chrome prior to version 133.0.6943.126. The flaw enables a remote attacker to potentially exploit heap corruption via a crafted web application. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium.

A remote attacker without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as clicking or visiting a malicious site. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing heap corruption leading to arbitrary code execution or system compromise.

Google addressed the issue in Chrome stable channel update to version 133.0.6943.126. Details are provided in the Chrome Releases blog at https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html and the Chromium issue tracker at https://issues.chromium.org/issues/390590778. Security practitioners should prioritize updating affected browsers.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 133.0.6943.126

References

https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/390590778
Issue Tracking, Permissions Required · chrome-cve-admin@google.com