CVE-2025-14765

High

Published: 16 December 2025

Published

16 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of known flaws like the WebGPU use-after-free vulnerability via patching to Chrome 143.0.7499.147 or later.

SI-16 Memory Protection good match

prevent

Implements memory allocation, deallocation, and access protections to directly mitigate use-after-free errors causing heap corruption in WebGPU processing.

SI-5 Security Alerts, Advisories, and Directives partial match

detect

Requires receiving and disseminating security advisories such as Google's Chrome release notes for this CVE to enable rapid flaw remediation.

Security SummaryAI

CVE-2025-14765 is a use-after-free vulnerability (CWE-416) in the WebGPU component of Google Chrome prior to version 143.0.7499.147. Published on 2025-12-16, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security. The flaw allows potential heap corruption when processing a crafted HTML page.

A remote attacker can exploit this vulnerability by luring a user to interact with a maliciously crafted HTML page, requiring no privileges but user interaction such as visiting the page or granting permissions. Successful exploitation could lead to heap corruption, enabling high-impact consequences including unauthorized access to sensitive data, modification of system integrity, and disruption of availability.

Google's stable channel update for desktop, available at https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html, addresses the issue in Chrome 143.0.7499.147 and later versions. Additional details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/448294721. Practitioners should prioritize updating affected Chrome installations to mitigate the risk.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 143.0.7499.146

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The use-after-free vulnerability in Chrome's WebGPU enables exploitation for client execution (T1203) via a crafted HTML page, leading to heap corruption and arbitrary code execution requiring user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/448294721
Issue Tracking, Permissions Required · chrome-cve-admin@google.com