CVE-2025-0436
Published: 15 January 2025
Summary
CVE-2025-0436 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of flaws, directly addressing the integer overflow in Skia by applying Google's patch in Chrome 132.0.6834.83.
Process isolation through browser sandboxing confines potential heap corruption in the Skia renderer process, limiting attacker impact to the sandboxed environment.
Memory protection mechanisms like ASLR and DEP mitigate heap corruption exploits by randomizing memory layout and preventing execution of corrupted heap data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in browser rendering library enables drive-by compromise via malicious HTML (T1189), client-side exploitation for code execution (T1203), and user-triggered execution via crafted link (T1204.001).
NVD Description
Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-0436 is an integer overflow vulnerability in the Skia graphics library used by Google Chrome prior to version 132.0.6834.83. The flaw enables potential heap corruption when rendering a crafted HTML page, as classified under CWE-472. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by luring a user to visit a malicious website containing the crafted HTML page, requiring user interaction such as clicking a link but no special privileges. Successful exploitation could allow the attacker to achieve high-impact corruption of the heap, potentially leading to arbitrary code execution and full compromise of the browser's confidentiality, integrity, and availability.
Google's stable channel update for desktop, announced via the Chrome Releases blog, patches this issue in version 132.0.6834.83 and later. Additional technical details are documented in the associated Chromium issue tracker. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)