What is the CVSS score of CVE-2025-2509?

CVE-2025-2509 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Chrome are affected by CVE-2025-2509?

Organizations using Out-of-Bounds Read in Virglrenderer in ChromeOS 16093.57.0 face notable risk from CVE-2025-2509, a out-of-bounds read vulnerability rated CVSS 7.8.

Is there a public PoC exploit available for CVE-2025-2509?

Yes, a public proof-of-concept exploit is available for CVE-2025-2509. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-2509?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Chrome CVE-2025-2509

HIGH

Out-of-bounds Read (CWE-125)

2025-05-06 7f6e188d-c52a-4a19-8674-3c3fa7d1fc7f

Buffer Overflow Information Disclosure Chrome Chrome Os

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:40 vuln.today

PoC Detected

Oct 03, 2025 - 14:47 vuln.today

Public exploit code

CVE Published

May 06, 2025 - 01:15 nvd

HIGH 7.8

DescriptionNVD

Out-of-Bounds Read in Virglrenderer in ChromeOS 16093.57.0 allows a malicious guest VM to achieve arbitrary address access within the crosvm sandboxed process, potentially leading to VM escape via crafted vertex elements data triggering an out-of-bounds read in util_format_description.

AnalysisAI

Out-of-Bounds Read in Virglrenderer in ChromeOS 16093.57.0 allows a malicious guest VM to achieve arbitrary address access within the crosvm sandboxed process, potentially leading to VM escape via. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. Out-of-Bounds Read in Virglrenderer in ChromeOS 16093.57.0 allows a malicious guest VM to achieve arbitrary address access within the crosvm sandboxed process, potentially leading to VM escape via crafted vertex elements data triggering an out-of-bounds read in util_format_description. Affected products include: Google Chrome Os.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

CVE-2025-2509 vulnerability details – vuln.today

Back

Chrome CVE-2025-2509

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code