Full Report
Google Chrome is a browser that runs everywhere. Chromium is the open source browser engine underneath of Chrome that underlies Chrome, Edge, Brave and many more browsers. The post is about a memory safety issue that they found in the Chromium engine. The blog post really pushes towards autonomous security reviews because of the amount of new code that is being pushed. I understand the sentiment but not a huge fan of how it's pushed in the article. WebXR is an API for virtual and augmented reality experiences in the browser. It's a great target to hit for memory safety issues because of the complexity. It's an evolving API that's under active development and is interfacing with complex 3D graphics plus new hardware components. Applications can manipulate positions, rotations and transformations using interfaces that represent data in a 3D space. The vulnerable code path is around WebXR's matrix caching and JavaScript's ArrayBuffer semantics. A page can detach a typed array by transferring its underlying buffer to another context. This is a legitimate API and is used for zero-copy data transfers. When handling the case of a cached array being detached, the Chromium engine had a bad fallback. It returns a freshly created zero-length array. So, what's the problem? During this code path, there's only a length check on the size in DEBUG builds. So, when ColMajorF accessing 16 array indexes, it reads 64 bytes past the end of the buffer that was just initialized. This creates an out of bounds read in the Chromium Engine. To fix the vulnerability, the matrix is recalculated from the authoritative internal state instead of the cached array. This is in accordance to the WebXR specification. The Aisle tool additionally found two other locations where this was happening but the exploitability isn't mentioned in the article.
Analysis Summary
# Vulnerability: Chromium WebXR Matrix Caching Out-of-Bounds Read
## CVE Details
- **CVE ID:** CVE-2025-12443
- **CVSS Score:** 4.3 (Medium)
- **CWE:** CWE-125 (Out-of-bounds Read) / Information Disclosure
## Affected Systems
- **Products:** All browsers based on the Chromium engine, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, Atlas, and Comet.
- **Versions:** Affected versions prior to the fix in late 2025 (specifically fixed in Chrome 142). The vulnerability was present in the codebase for approximately seven months.
- **Configurations:** Systems with WebXR APIs enabled (typically default in modern mobile and desktop browsers).
## Vulnerability Description
The vulnerability exists in Chromium’s **WebXR** implementation, specifically regarding how `XRRigidTransform` handles matrix caching when integrated with JavaScript `ArrayBuffer` semantics.
When a web page "detaches" (transfers) a typed array used by WebXR, Chromium’s fallback logic incorrectly returned a freshly created **zero-length array** instead of recalculating the matrix. This zero-length array was then passed to `DOMFloat32ArrayToTransform`. While this function contained a `DCHECK` to ensure the length was 16 elements, this check is stripped in production (Release) builds. Consequently, the `ColMajorF` function attempted to read 16 indices (64 bytes) from the zero-length buffer, leading to an out-of-bounds read of adjacent heap memory.
## Exploitation
- **Status:** PoC available (discovered by AISLE autonomous analyzer); handled via responsible disclosure.
- **Complexity:** Medium (requires specific sequencing of creating, caching, detaching, and reusing WebXR objects).
- **Attack Vector:** Network (Remote via malicious website).
## Impact
- **Confidentiality:** Medium (Leaks 64 bytes of sensitive heap memory, including pointers, to attacker-controlled JavaScript).
- **Integrity:** None.
- **Availability:** Low (Potential for renderer process instability).
- **Note:** The leaked memory can be used to bypass **ASLR** (Address Space Layout Randomization), facilitating more severe secondary exploits.
## Remediation
### Patches
- **Google Chrome:** Update to version **142** or later.
- **Chromium Engine:** Apply Fix CL [chromium-review[.]googlesource[.]com/7046576].
- **Other Browsers:** Update Edge, Brave, and Opera to versions incorporating the Chromium 142 security patches.
### Workarounds
- Disable WebXR/WebVR flags in `chrome://flags` if updates cannot be immediately applied.
- Use browsers not based on Chromium (e.g., Firefox or Safari) for high-risk navigation until patched.
## Detection
- **Indicators of Compromise:** Unusual JavaScript activity involving rapid `ArrayBuffer` transfers followed by `XRRay` transformations.
- **Detection methods and tools:**
- Static analysis of Chromium-based binaries for the vulnerable `xr_rigid_transform.cc` logic.
- Security posture management tools identifying outdated browser versions (pre-v142).
## References
- **Vendor Advisory:** [chromereleases[.]googleblog[.]com]
- **Chromium Issue Tracker:** [issues[.]chromium[.]org/issues/452071845]
- **NVD Record:** [nvd[.]nist[.]gov/vuln/detail/CVE-2025-12443]
- **Research Post:** [aisle[.]com/blog/cve-2025-12443-chrome-webxr-flaw]