CVE-2025-11205 – A heap buffer overflow vulnerability in Chrome'... (How to Fix)

Q: What is the severity of CVE-2025-11205?

CVE-2025-11205 has a CVSS score of 8.8 (HIGH). A heap buffer overflow vulnerability in Chrome's WebGPU implementation allows remote attackers to potentially exploit heap corruption. This affects Chrome users who visit malicious websites, potentially leading to arbitrary code execution in the renderer process. The vulnerability is rated High severity by Chromium.

📋 TL;DR

A heap buffer overflow vulnerability in Chrome's WebGPU implementation allows remote attackers to potentially exploit heap corruption. This affects Chrome users who visit malicious websites, potentially leading to arbitrary code execution in the renderer process. The vulnerability is rated High severity by Chromium.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 141.0.7390.54

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations are vulnerable. WebGPU must be enabled (default in Chrome).

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Renderer process compromise allowing sandbox escape, privilege escalation, or installation of malware.

🟢

If Mitigated

Limited impact due to Chrome's sandboxing, potentially only affecting the renderer process.

🌐 Internet-Facing: HIGH - Exploitable via visiting malicious websites, no authentication required.

🏢 Internal Only: MEDIUM - Requires user interaction (visiting malicious site), but internal users could be targeted.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires compromising the renderer process first, but WebGPU vulnerabilities often lead to sandbox escapes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 141.0.7390.54

Vendor Advisory: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable WebGPU

all

Temporarily disable WebGPU feature to prevent exploitation

chrome://flags/#enable-webgpu → Disable

Use Chrome Enterprise policies

all

Disable WebGPU via enterprise policy for managed environments

Set 'WebGPUEnabled' policy to false

🧯 If You Can't Patch

Implement network filtering to block malicious websites
Use application allowlisting to prevent unauthorized Chrome execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 141.0.7390.54, you are vulnerable.

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 141.0.7390.54 or higher.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with WebGPU-related stack traces
Unexpected renderer process terminations

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual WebGPU API calls

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination") AND process="chrome_renderer"

📊 Metadata

CVE ID: CVE-2025-11205

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.09% exploit probability (24.7th percentile)

Published: November 6, 2025

Last Updated: November 13, 2025

🔗 References

https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html Release Notes,Vendor Advisory
https://issues.chromium.org/issues/442444724 Issue Tracking,Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11205, you might also want to check these: