Cyber Resilience

CVE-2025-10500

High

Published: 24 September 2025

Published
24 September 2025
Modified
25 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10500 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-10500 is a use-after-free vulnerability (CWE-416) in Dawn within Google Chrome versions prior to 140.0.7339.185. This flaw enables a remote attacker to potentially exploit heap corruption through a crafted HTML page. The issue carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact.

A remote attacker can exploit this vulnerability over the network with low attack complexity and no required privileges, though it depends on user interaction such as visiting a malicious site. Successful exploitation could lead to heap corruption, granting high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution or similar compromise of the browser process.

Google addressed the vulnerability in Chrome stable channel version 140.0.7339.185. Users should update to this version or later to mitigate the issue. Additional details are provided in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html and the Chromium issue tracker at https://issues.chromium.org/issues/435875050.

EU & UK References

Vulnerability details

Use after free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Chrome Dawn enables drive-by compromise via crafted HTML page (T1189) and client-side exploitation for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13633Same product: Apple Macos
CVE-2026-3918Same product: Apple Macos
CVE-2026-5877Same product: Apple Macos
CVE-2025-10501Same product: Apple Macos
CVE-2026-9978Same product: Apple Macos
CVE-2026-6302Same product: Apple Macos
CVE-2026-5281Same product: Apple Macos
CVE-2026-5284Same product: Apple Macos
CVE-2026-9952Same product: Apple Macos
CVE-2026-7987Same product: Apple Macos

Affected Assets

google
chrome
≤ 140.0.7339.185

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and timely remediation of flaws such as this use-after-free vulnerability in Chrome Dawn via patching to version 140.0.7339.185 or later.

prevent

Implements memory protection mechanisms that directly mitigate use-after-free heap corruption by preventing unauthorized code execution from exploited memory errors.

prevent

Enforces process isolation, such as Chrome's renderer sandboxing, to contain potential arbitrary code execution from heap corruption within unprivileged processes.

References