CVE-2025-0995
Published: 15 February 2025
Summary
CVE-2025-0995 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of flaws like the use-after-free in V8, as addressed in Chrome 133.0.6943.98.
Implements memory protections such as ASLR and DEP that mitigate exploitation of heap corruption from use-after-free vulnerabilities.
Enforces process isolation in browser renderer processes to contain potential impacts of V8 heap corruption exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in V8 enables RCE via crafted HTML/JS page visited by user (drive-by) and direct client-side exploitation.
NVD Description
Use after free in V8 in Google Chrome prior to 133.0.6943.98 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-0995 is a use-after-free vulnerability (CWE-416) in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 133.0.6943.98. This flaw allows a remote attacker to potentially exploit heap corruption through a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified as high severity by Chromium security standards.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring user interaction but no special privileges. Successful exploitation could lead to heap corruption, potentially enabling arbitrary read/write access to memory, code execution, or other severe impacts on confidentiality, integrity, and availability within the browser's renderer process.
Google's stable channel update, detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_12.html, addresses this issue by patching affected versions to 133.0.6943.98 and later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/391907159. Security practitioners should prioritize updating Chrome installations and advise users to avoid untrusted web content until patched.
Details
- CWE(s)