CVE-2025-12727

High

Published: 10 November 2025

Published

10 November 2025

Modified

25 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the V8 heap corruption flaw by patching Google Chrome to version 142.0.7444.137 or later.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as address space layout randomization and data execution prevention to protect against heap corruption from out-of-bounds writes in V8.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning to identify systems running vulnerable Chrome versions prior to 142.0.7444.137, enabling proactive remediation.

Security SummaryAI

CVE-2025-12727 stems from an inappropriate implementation in the V8 JavaScript engine within Google Chrome prior to version 142.0.7444.137. This vulnerability enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), and it maps to CWE-787 (Out-of-bounds Write).

A remote attacker without privileges can exploit this by luring a user to interact with a malicious site hosting the crafted HTML page. User interaction is required, but no authentication is needed, allowing network-accessible exploitation with low complexity. Successful attacks could result in high impacts to confidentiality, integrity, and availability through heap corruption.

Mitigation involves updating to Google Chrome 142.0.7444.137 or later, as detailed in the stable channel update on the Chrome Releases blog (https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html) and the associated Chromium issue (https://issues.chromium.org/issues/454485895).

Details

CWE(s): CWE-787

Affected Products

google

chrome

≤ 142.0.7444.134 · ≤ 142.0.7444.135

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability in the V8 JavaScript engine allows remote exploitation of heap corruption via a crafted HTML page, directly enabling Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/454485895
Issue Tracking, Permissions Required · chrome-cve-admin@google.com