CVE-2025-2476
Published: 19 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-2476 is a use-after-free vulnerability (CWE-416) in the Lens component of Google Chrome prior to version 134.0.6998.117. This flaw allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as Critical by Chromium security severity standards.
A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a malicious site hosting the crafted HTML page. User interaction, such as visiting the page, is required for successful exploitation. If exploited, the attacker could achieve high confidentiality, integrity, and availability impacts through heap corruption.
Google addressed CVE-2025-2476 in the stable channel update for Chrome desktop, released as version 134.0.6998.117, as announced in the Chrome Releases blog (https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_19.html). Further technical details are available in the Chromium issue tracker (https://issues.chromium.org/issues/401029609). Security practitioners should prioritize updating affected Chrome installations to mitigate this risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free in Chrome browser via crafted HTML page directly enables drive-by compromise (T1189) upon user visit to malicious site and exploitation for client execution (T1203) leading to heap corruption and potential RCE.