CVE-2025-12725

High

Published: 10 November 2025

Published

10 November 2025

Modified

25 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely patching of the out-of-bounds read vulnerability in Chrome's WebGPU component to the fixed version 142.0.7444.137.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent exploitation of the out-of-bounds memory read leading to write in WebGPU.

SC-39 Process Isolation good match

prevent

Enforces process isolation through browser sandboxing to contain potential arbitrary code execution from the WebGPU memory corruption within restricted processes.

Security SummaryAI

CVE-2025-12725 is an out-of-bounds read vulnerability in the WebGPU component of Google Chrome on Android versions prior to 142.0.7444.137. The flaw, classified under CWE-125, enables a remote attacker to perform an out-of-bounds memory write through a crafted HTML page. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as High severity by Chromium security.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page that triggers the WebGPU functionality. No special privileges are required, though user interaction is necessary. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution or system compromise on the affected Android device.

Google addressed the issue in Chrome for Android version 142.0.7444.137. Security practitioners should advise users to update to this version or later. Relevant advisories include the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/443906252.

Details

CWE(s): CWE-125

Affected Products

google

chrome

≤ 142.0.7444.137 · ≤ 142.0.7444.134 · ≤ 142.0.7444.135

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side browser flaw exploitable via a crafted HTML page on a malicious website, directly enabling drive-by compromise (T1189) and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/443906252
Issue Tracking, Permissions Required · chrome-cve-admin@google.com