EUVD-2025-18071

| CVE-2025-5959 HIGH
2025-06-11 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18071
CVE Published
Jun 11, 2025 - 01:15 nvd
HIGH 8.8

Tags

RCE Memory Corruption Google Chrome Suse

Description

Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Analysis

Type confusion vulnerability in Google Chrome's V8 JavaScript engine that enables remote code execution within the Chrome sandbox prior to version 137.0.7151.103. An attacker can exploit this via a crafted HTML page by tricking a user into visiting a malicious website, achieving arbitrary code execution with high severity impact (CVSS 8.8). The vulnerability's network-based attack vector, low complexity, and requirement only for user interaction make it a practical exploitation target.

Technical Context

This vulnerability exists in V8, Google Chrome's JavaScript engine, and is classified as a type confusion vulnerability (CWE-843). Type confusion occurs when the JavaScript engine incorrectly identifies or handles the type of an object or value, allowing attackers to bypass type safety mechanisms. The root cause is a flaw in V8's type system handling that fails to properly validate type information during object manipulation or function calls. CPE affected: cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* (versions prior to 137.0.7151.103). This affects the core V8 JIT compiler or interpreter responsible for JavaScript execution, potentially in object property access, array element handling, or function call dispatch mechanisms.

Affected Products

Chrome (< 137.0.7151.103); Chromium (Open-source versions prior to security release aligning with Chrome 137.0.7151.103)

Remediation

- primary_action: Update Google Chrome to version 137.0.7151.103 or later; method: Automatic updates (Chrome automatically downloads and installs security updates on restart) or manual update via Menu > Help > About Google Chrome - primary_action: Update Chromium-based browsers; method: Update Edge, Brave, Opera, and other Chromium-based browsers to their latest versions released after Chrome 137.0.7151.103 - temporary_mitigation: Avoid visiting untrusted websites until patched; disable JavaScript for untrusted content (limits usability; not recommended as primary mitigation) - temporary_mitigation: Monitor browser update status and force restart after updates to ensure patch application - reference: Google Chrome Release Notes (https://chromereleases.googleblog.com/) for v137.0.7151.103 and later security updates

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Debian

chromium
Release Status Fixed Version Urgency
bullseye (security), bullseye vulnerable 120.0.6099.224-1~deb11u1 -
bookworm fixed 137.0.7151.103-1~deb12u1 -
bookworm (security) fixed 146.0.7680.71-1~deb12u1 -
trixie fixed 145.0.7632.159-1~deb13u1 -
trixie (security) fixed 146.0.7680.71-1~deb13u1 -
forky fixed 146.0.7680.71-1 -
sid fixed 146.0.7680.80-1 -
bullseye fixed (unfixed) end-of-life
(unstable) fixed 137.0.7151.103-1 -
DSA-5942-1

Share

EUVD-2025-18071 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy