CVE-2025-14766

High

Published: 16 December 2025

Published

16 December 2025

Modified

23 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and patching of known flaws like the V8 out-of-bounds vulnerability in Chrome.

SI-16 Memory Protection good match

prevent

Implements memory protection safeguards such as ASLR and DEP to prevent successful heap corruption from out-of-bounds reads and writes.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning to identify and prioritize remediation of unpatched Chrome instances affected by this V8 flaw.

Security SummaryAI

CVE-2025-14766 is an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 143.0.7499.147. This flaw, classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), enables heap corruption when processing a crafted HTML page. The Chromium security team rates it as High severity, with a CVSS v3.1 base score of 8.8.

A remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, though it necessitates user interaction such as visiting a malicious site. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution through heap corruption without changing the security scope.

Chrome's stable channel update advisory and the associated Chromium issue tracker detail mitigation through upgrading to version 143.0.7499.147 or later, which addresses the V8 defects. Security practitioners should prioritize patching affected Chrome installations and advise users to enable automatic updates.

Details

CWE(s): CWE-125 CWE-787

Affected Products

google

chrome

≤ 143.0.7499.146

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds read/write in Chrome's V8 engine enables heap corruption and arbitrary code execution via crafted HTML page, directly facilitating drive-by compromise through malicious websites and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/466786677
Issue Tracking, Permissions Required · chrome-cve-admin@google.com