EUVD-2025-18072
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Use after free in Media in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Analysis
Use-after-free vulnerability in Google Chrome's Media component that allows remote attackers to corrupt heap memory and achieve arbitrary code execution through a crafted HTML page. All Chrome versions prior to 137.0.7151.103 are affected. The vulnerability requires user interaction (clicking/viewing the malicious page) but can lead to complete system compromise with high impact on confidentiality, integrity, and availability.
Technical Context
This vulnerability exists in Google Chrome's Media processing subsystem, which handles multimedia content parsing and playback. The root cause is a use-after-free condition (CWE-416), where the Media component attempts to access memory that has already been freed, likely during the cleanup or transition between media parsing states. When processing a crafted HTML page containing specially malformed media elements or resources, the memory management in the Media component can be tricked into dereferencing a freed object. This corrupts the heap and can be leveraged to overwrite adjacent memory structures, potentially allowing execution of arbitrary code. The vulnerability affects the Chromium rendering engine used by Google Chrome, and by extension may affect Chromium-based browsers that have not applied the security patches.
Affected Products
Google Chrome: All versions prior to 137.0.7151.103. Affected CPE: cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* (all versions < 137.0.7151.103). This includes Chrome on Windows, macOS, Linux, Android, and iOS platforms. Chromium-based browsers (Edge, Brave, Opera, etc.) that have not backported patches from Chromium 137.0.7151.103 or later are also affected. Enterprise deployments using Chrome via Google Chrome for Enterprise should prioritize updates.
Remediation
Immediate action: Update Google Chrome to version 137.0.7151.103 or later. Chrome's automatic update mechanism will deploy patches; users should restart the browser to complete the update. Verify the update: navigate to chrome://settings/help to confirm installed version. For enterprise: Deploy updates via Google Admin console or equivalent endpoint management solution. Temporary mitigation (if immediate update is impossible): Disable JavaScript or use a browser extension to block media elements; however, this significantly limits functionality and is not a long-term solution. Security teams should prioritize this patch in their vulnerability management workflows and verify deployment completion within 48 hours of release to minimize exploitation window.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 120.0.6099.224-1~deb11u1 | - |
| bookworm | fixed | 137.0.7151.103-1~deb12u1 | - |
| bookworm (security) | fixed | 146.0.7680.71-1~deb12u1 | - |
| trixie | fixed | 145.0.7632.159-1~deb13u1 | - |
| trixie (security) | fixed | 146.0.7680.71-1~deb13u1 | - |
| forky | fixed | 146.0.7680.71-1 | - |
| sid | fixed | 146.0.7680.80-1 | - |
| bullseye | fixed | (unfixed) | end-of-life |
| (unstable) | fixed | 137.0.7151.103-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today