CVE-2025-2136
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-2136 is a use-after-free vulnerability (CWE-416) in the Inspector component of Google Chrome prior to version 134.0.6998.88. It enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security standards.
A remote attacker without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as loading a malicious HTML page in the browser. Successful exploitation could result in high impacts to confidentiality, integrity, and availability through heap corruption, potentially allowing arbitrary code execution.
Mitigation is available in Google Chrome version 134.0.6998.88 and later, as outlined in the stable channel update advisory at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html. Further technical details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/395032416. Practitioners should prioritize updating affected systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free in Chrome Inspector enables RCE via crafted malicious HTML page, directly mapping to drive-by compromise and client-side exploitation techniques.