Full Report
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Google Chrome Leading to Arbitrary Code Execution
## CVE Details
- CVE ID: CVE-2025-14372 (Use-After-Free in Password Manager), CVE-2025-14373 (Inappropriate Implementation in Toolbar). *Note: The most severe vulnerability (Buffer Overflow in angle graphics library) currently has no assigned CVE and is listed as 'Under coordination'.*
- CVSS Score: *Not explicitly provided for the most severe flaw; individual scores for the two named CVEs are not detailed.* (Severity implied as High/Critical due to ACE and in-the-wild exploitation).
- CWE: Buffer Overflow (for the most severe flaw), Use-After-Free (CVE-2025-14372).
## Affected Systems
- Products: Google Chrome
- Versions:
- Windows and MAC: Prior to 143.0.7499.109/.110
- Linux: Prior to 143.0.7499.109
- Configurations: Standard user configurations on affected operating systems. Impact is higher for users with administrative privileges.
## Vulnerability Description
Multiple vulnerabilities were discovered in Google Chrome. The most severe is a **Buffer Overflow** vulnerability within the **angle graphics library**, specifically in its Metal renderer. This occurs because buffer sizes are incorrectly calculated using `pixelsDepthPitch`, which derives from `GL_UNPACK_IMAGE_HEIGHT`. If this derived value is smaller than the actual image height, it results in a buffer overflow, leading to memory corruption, crashes, or potentially **Arbitrary Code Execution (ACE)**.
Two other identified vulnerabilities include a **Use-After-Free** flaw in the Password Manager (CVE-2025-14372) and an **Inappropriate Implementation** vulnerability in the Toolbar (CVE-2025-14373). Successful exploitation of the most severe flaw grants an attacker ACE in the context of the logged-on user.
## Exploitation
- Status: **Exploited in the wild** (Google is aware of an exploit existing).
- Complexity: *Not specified, but exploitation leading to ACE on a zero-day warrants a high or medium classification.*
- Attack Vector: Network (via Drive-By Compromise via initial access tactic T0001).
## Impact
- Confidentiality: Potential for unauthorized data viewing/change.
- Integrity: Potential to install programs, view, change, or delete data, and create new user accounts.
- Availability: Potential for system crashes/denial of service.
## Remediation
### Patches
- Google Chrome version **143.0.7499.109** or later for Linux.
- Google Chrome version **143.0.7499.109/.110** or later for Windows and MAC.
### Workarounds
- Apply the Principle of Least Privilege: Run all software, including Chrome, as a non-privileged user (one without administrative privileges) to diminish the impact of a successful attack.
- Ensure only fully supported browsers and email clients are used, sticking to the latest vendor-provided versions.
## Detection
- Indicators of Compromise: System instability, unexpected program execution, or privilege escalation attempts originating from the Chrome process.
- Detection methods and tools: Implement robust vulnerability management processes to ensure timely patching (Safeguard 7.4). Monitor endpoint activity for suspicious behavior stemming from web browser processes.
## References
- CVE-2025-14372: [cve-mitre-org/cgi-bin/cvename?name=CVE-2025-14372]
- CVE-2025-14373: [cve-mitre-org/cgi-bin/cvename?name=CVE-2025-14373]
- Google Advisory: [chromereleases-googleblog-com/2025/12/stable-channel-update-for-desktop_10.html]
- MS-ISAC Advisory: 2025-115