CVE-2025-13640
📋 TL;DR
This vulnerability in Google Chrome's password implementation allows a local attacker with physical access to bypass authentication mechanisms. It affects users running Chrome versions prior to 143.0.7499.41 on desktop platforms.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access could gain unauthorized access to saved passwords and authentication-protected resources on the device.
Likely Case
Limited unauthorized access to Chrome-stored credentials by someone with physical device access and basic technical knowledge.
If Mitigated
No impact if device is properly secured against physical access and Chrome is kept updated.
🎯 Exploit Status
Exploitation requires physical access to the device and knowledge of the vulnerability. No authentication bypass for remote access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 143.0.7499.41 and later
Vendor Advisory: https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html
Restart Required: Yes
Instructions:
1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click 'Relaunch' to restart Chrome with the update.
🔧 Temporary Workarounds
Disable Chrome Password Manager
allPrevent Chrome from storing passwords to eliminate the attack surface
chrome://settings/passwords > Turn off 'Offer to save passwords'
Enable Device Lock
allRequire authentication to access the device
Windows: Settings > Accounts > Sign-in options > Require Windows Hello sign-in
macOS: System Settings > Lock Screen > Require password immediately
🧯 If You Can't Patch
- Implement strict physical security controls for all devices
- Use third-party password managers instead of Chrome's built-in password manager
🔍 How to Verify
Check if Vulnerable:
Check Chrome version in chrome://settings/help or via 'chrome://version/'Check Version:
google-chrome --version (Linux) or 'chrome://version/' in browserVerify Fix Applied:
Confirm Chrome version is 143.0.7499.41 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual access to Chrome password files
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- None - this is a local attack only
SIEM Query:
EventID 4688 with Chrome process accessing credential storage files, or Chrome update logs showing version below 143.0.7499.41