CVE-2025-1918
Published: 05 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-1918 is an out-of-bounds read vulnerability (CWE-125) in the PDFium component of Google Chrome prior to version 134.0.6998.35. Published on 2025-03-05, it allows a remote attacker to potentially perform out-of-bounds memory access via a crafted PDF file. Chromium rates the severity as Medium.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A remote attacker requires no privileges and can exploit it over the network with low attack complexity, though user interaction is needed, such as convincing a user to open a malicious PDF file in Chrome. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability.
Google's Chrome Releases blog announces the patch in the stable channel update for desktop at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html, with details tracked in the Chromium issue at https://issues.chromium.org/issues/388557904. Mitigation requires updating to Chrome 134.0.6998.35 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an out-of-bounds read in PDFium triggered by a crafted PDF file requiring user interaction to open in Chrome, directly enabling exploitation through user execution of a malicious file.