CVE-2025-1916

CVE-2025-1916 is a use-after-free vulnerability (CWE-416) in the Profiles component of Google Chrome prior to version 134.0.6998.35. Published on 2025-03-05, it enables potential heap corruption via a crafted HTML page when exploited through a malicious extension. The issue carries a Chromium security severity of Medium and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker who convinces a user to install a malicious browser extension can exploit this vulnerability. With the extension in place, a crafted HTML page triggers the use-after-free, potentially allowing heap corruption that compromises confidentiality, integrity, and availability with high impact, though it requires user interaction and has low attack complexity over the network with no privileges needed.

Google addressed this vulnerability in Chrome stable channel version 134.0.6998.35, as documented in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/376493203. Security practitioners should prioritize updating affected systems to this version or later to mitigate the risk.