EUVD-2025-18662
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Use after free in Metrics in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Analysis
Use-after-free vulnerability in Google Chrome's Metrics component that allows remote attackers to exploit heap corruption and achieve arbitrary code execution through a crafted HTML page. The vulnerability affects Chrome versions prior to 137.0.7151.119 and requires only user interaction (clicking a link/viewing a page) with no special privileges. This is a high-severity remote code execution vector with active exploitation risk given the ubiquity of Chrome and the low attack complexity.
Technical Context
The vulnerability exists in Chrome's Metrics subsystem, which collects and processes performance/diagnostic data. Use-after-free (CWE-416) occurs when the application references memory that has already been freed, allowing attackers to read sensitive data or corrupt the heap. In this case, improper lifecycle management in the Metrics component allows crafted HTML to trigger heap corruption via pointer dereferences to freed objects. The affected CPE is likely cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* with versions <137.0.7151.119. This affects all platforms where Chrome runs (Windows, macOS, Linux, Android, iOS) that use the vulnerable Metrics implementation.
Affected Products
Chrome (<137.0.7151.119)
Remediation
Update Google Chrome to version 137.0.7151.119 or later immediately. Enable automatic updates (default in Chrome) to receive patches without user intervention.; details: Patch is available from Google's official Chrome update channels. Navigate to chrome://settings/help to force update check. Workaround (temporary): Restrict access to untrusted websites or use Chrome's restricted Sandbox Mode if available for sensitive activities.; details: This does not eliminate risk but reduces exposure surface. Not a substitute for patching. Detection: Monitor Chrome version compliance in your environment. Use endpoint management tools to enforce minimum version 137.0.7151.119 for Chrome deployments.; details: Verify via chrome://version or via enterprise policy enforcement (Google Admin Console for Chromebook/Chrome OS environments).
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | released | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 120.0.6099.224-1~deb11u1 | - |
| bookworm | fixed | 137.0.7151.119-1~deb12u1 | - |
| bookworm (security) | fixed | 146.0.7680.71-1~deb12u1 | - |
| trixie | fixed | 145.0.7632.159-1~deb13u1 | - |
| trixie (security) | fixed | 146.0.7680.71-1~deb13u1 | - |
| forky | fixed | 146.0.7680.71-1 | - |
| sid | fixed | 146.0.7680.80-1 | - |
| bullseye | fixed | (unfixed) | end-of-life |
| (unstable) | fixed | 137.0.7151.119-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today