CVE-2025-11460
Published: 06 November 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-11460 is a use-after-free vulnerability (CWE-416) in the Storage component of Google Chrome versions prior to 141.0.7390.65. It allows a remote attacker to execute arbitrary code by processing a crafted video file. The vulnerability carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges, though user interaction is necessary, such as convincing a user to open a malicious video file in Chrome. Successful exploitation enables arbitrary code execution within the context of the browser, potentially leading to full compromise of the affected system.
Mitigation involves updating to Google Chrome version 141.0.7390.65 or later, as detailed in the Chrome stable channel release notes at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html and the associated Chromium issue tracker at https://issues.chromium.org/issues/446722008.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a use-after-free in Chrome's Storage component exploitable via a crafted video file, enabling arbitrary code execution in a client application, directly mapping to Exploitation for Client Execution (T1203).