Skip to main content

Chrome CVE-2025-4609

CRITICAL
Incorrect Permission Assignment for Critical Resource (CWE-732)
2025-08-22 chrome-cve-admin@google.com
Google Microsoft Information Disclosure Chrome Windows Suse
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 06, 2026 - 08:30 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 19:08 vuln.today
PoC Detected
Aug 25, 2025 - 20:44 vuln.today
Public exploit code
CVE Published
Aug 22, 2025 - 21:15 nvd
CRITICAL 9.6

DescriptionCVE.org

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

AnalysisAI

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High) Affected products include: Google Chrome. Version information: prior to 136.0.7103.113.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.

More from same product – last 7 days

CVE-2026-12440 CRITICAL
9.6 Jun 17

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po
CVE-2026-12443 HIGH
8.8 Jun 17

Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbit
CVE-2026-12466 HIGH
8.8 Jun 17

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute

CVE-2026-12442 HIGH
8.8 Jun 17

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arb
CVE-2026-12447 HIGH
8.8 Jun 17

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary c

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP6 Fixed

Share

CVE-2025-4609 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy