CVE-2025-1426

High

Published: 19 February 2025

Published

19 February 2025

Modified

07 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0039 60.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Heap buffer overflow in GPU in Google Chrome on Android prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Security Summary

CVE-2025-1426 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the GPU component in Google Chrome on Android versions prior to 133.0.6943.126. Published on 2025-02-19, it enables potential heap corruption when a user processes a crafted HTML page. The Chromium security team assesses it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability over the network with low attack complexity and no privileges required, though it relies on user interaction, such as visiting a malicious site. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability through heap corruption.

Google's stable channel update addresses the issue in Chrome for Android 133.0.6943.126 and later versions, as detailed in the Chrome Releases blog and Chromium issue tracker (https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html, https://issues.chromium.org/issues/383465163). Security practitioners should prioritize updating affected devices to mitigate the risk.

Details

CWE(s): CWE-122

Affected Products

google

chrome

≤ 133.0.6943.126

References

https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/383465163
Issue Tracking, Permissions Required · chrome-cve-admin@google.com