Cyber Resilience

CVE-2025-0438

High

Published: 15 January 2025

Published
15 January 2025
Modified
21 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0036 58.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0438 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-0438 is a stack buffer overflow vulnerability in the Tracing component of Google Chrome versions prior to 132.0.6834.83. The flaw, classified under CWE-121, enables potential stack corruption when a remote attacker supplies a crafted HTML page. It carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating significant risk due to its network accessibility and high impacts on confidentiality, integrity, and availability.

A remote attacker with no privileges can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page. Successful exploitation could lead to arbitrary code execution through stack corruption, compromising the victim's browser instance and potentially the underlying system, depending on the attacker's payload and the user's context.

Google's stable channel update advisory at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html details the patch in Chrome 132.0.6834.83, recommending users update to this version or later to mitigate the issue. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/384186539.

EU & UK References

Vulnerability details

Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Stack buffer overflow in Chrome enables drive-by compromise via malicious HTML page and direct exploitation for client-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-2137Same product: Google Chrome
CVE-2026-9923Same product: Google Chrome
CVE-2026-8532Same product: Google Chrome
CVE-2025-1914Same product: Google Chrome
CVE-2025-2135Same product: Google Chrome
CVE-2026-9941Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome
CVE-2026-8581Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2026-8577Same product: Google Chrome

Affected Assets

google
chrome
≤ 132.0.6834.83

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack buffer overflow vulnerability by requiring timely application of the vendor patch released in Chrome 132.0.6834.83.

prevent

Mitigates exploitation of the stack corruption via memory protection techniques such as stack canaries, ASLR, and non-executable memory stacks.

prevent

Prevents buffer overflows from crafted HTML inputs to the Tracing component by validating input length and format before processing.

References