CVE-2025-0999
Published: 19 February 2025
Summary
CVE-2025-0999 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 28.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the heap buffer overflow by requiring identification, reporting, and timely application of vendor patches such as Chrome 133.0.6943.126.
Provides memory protection safeguards to prevent unauthorized code execution resulting from heap corruption in the V8 engine.
Facilitates detection of systems with vulnerable Chrome versions prior to 133.0.6943.126 through periodic vulnerability scanning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in V8 enables direct client-side RCE via crafted HTML/JS on malicious site (drive-by) and exploitation for client execution.
NVD Description
Heap buffer overflow in V8 in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-0999 is a heap buffer overflow vulnerability (CWE-122) in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 133.0.6943.126. The flaw allows heap corruption when processing a crafted HTML page, as reported with a Chromium security severity of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It affects users of the affected Chrome stable channel releases.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, requiring user interaction but no special privileges. Successful exploitation could lead to high-impact consequences, including arbitrary code execution, data theft, or system compromise through heap corruption, potentially granting the attacker full control over the victim's browser process.
Google's stable channel update for desktop, detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html, addresses the issue in version 133.0.6943.126 and later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/394350433. Security practitioners should advise users to update Chrome immediately and enable automatic updates to mitigate exposure.
Details
- CWE(s)