CVE-2025-0762

8.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in Chrome's DevTools that could allow heap corruption when processing malicious Chrome extensions. Attackers could potentially execute arbitrary code or cause browser crashes. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:

• Google Chrome
• Chromium-based browsers

Versions: All versions prior to 132.0.6834.159

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user to install or interact with a malicious Chrome extension

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or persistent malware installation

🟠

Likely Case

Browser crash, denial of service, or limited information disclosure

🟢

If Mitigated

Browser crash with no data loss if sandboxing works as intended

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction with malicious extension; heap corruption exploitation is non-trivial

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 132.0.6834.159 or later

Vendor Advisory: https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_28.html

Restart Required: No

Instructions:

1. Open Chrome menu > Help > About Google Chrome
2. Allow Chrome to check for updates
3. Relaunch Chrome if prompted
4. Verify version is 132.0.6834.159 or higher

🔧 Temporary Workarounds

Disable Chrome Extensions

all

Temporarily disable all Chrome extensions to prevent exploitation

Copy

chrome://extensions/ > Toggle off all extensions

Restrict Extension Installation

enterprise

Configure enterprise policies to restrict extension installation

🧯 If You Can't Patch

• Use alternative browser temporarily
• Implement strict extension whitelisting policies

🔍 How to Verify

Check if Vulnerable:

Copy

Check Chrome version in About Google Chrome page

Check Version:

Copy

chrome://version/

Verify Fix Applied:

Copy

Confirm Chrome version is 132.0.6834.159 or higher

📡 Detection & Monitoring

Log Indicators:

• Chrome crash reports
• Extension installation events from unusual sources
• DevTools process anomalies

Network Indicators:

• Downloads of suspicious Chrome extension files
• Connections to known malicious extension repositories

SIEM Query:

Copy

source="chrome_logs" AND (event="crash" OR event="extension_install")

📊 Metadata

CVE ID: CVE-2025-0762

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.34% exploit probability (56.3th percentile)

Published: January 29, 2025

Last Updated: April 21, 2025

🔗 References

• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_28.html Release Notes
• https://issues.chromium.org/issues/384844003 Permissions Required

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0762, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)

CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)

CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)