CVE-2025-1919
Published: 05 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-1919 is an out-of-bounds read vulnerability (CWE-125) in the Media component of Google Chrome versions prior to 134.0.6998.35. It enables a remote attacker to potentially perform out-of-bounds memory access through a crafted HTML page. The issue carries a Chromium security severity rating of Medium and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high potential impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website, as it requires user interaction but no special privileges. Successful exploitation could lead to high-impact outcomes, including unauthorized access to sensitive memory contents, code execution, or system crashes, depending on the attacker's crafted payload and the victim's system.
Google addressed this vulnerability in Chrome version 134.0.6998.35 via the stable channel update for desktop, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/392375312. Security practitioners should advise users to update to the patched version immediately.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The out-of-bounds read in Chrome's Media component via crafted HTML directly enables Drive-by Compromise (T1189) through malicious website visits and Exploitation for Client Execution (T1203) in a client application.