CVE-2025-0438
Published: 15 January 2025
Summary
CVE-2025-0438 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0438 is a stack buffer overflow vulnerability in the Tracing component of Google Chrome versions prior to 132.0.6834.83. The flaw, classified under CWE-121, enables potential stack corruption when a remote attacker supplies a crafted HTML page. It carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating significant risk due to its network accessibility and high impacts on confidentiality, integrity, and availability.
A remote attacker with no privileges can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page. Successful exploitation could lead to arbitrary code execution through stack corruption, compromising the victim's browser instance and potentially the underlying system, depending on the attacker's payload and the user's context.
Google's stable channel update advisory at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html details the patch in Chrome 132.0.6834.83, recommending users update to this version or later to mitigate the issue. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/384186539.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1670
Vulnerability details
Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in Chrome enables drive-by compromise via malicious HTML page and direct exploitation for client-side code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack buffer overflow vulnerability by requiring timely application of the vendor patch released in Chrome 132.0.6834.83.
Mitigates exploitation of the stack corruption via memory protection techniques such as stack canaries, ASLR, and non-executable memory stacks.
Prevents buffer overflows from crafted HTML inputs to the Tracing component by validating input length and format before processing.