CVE-2025-10500
Published: 24 September 2025
Summary
CVE-2025-10500 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and timely remediation of flaws such as this use-after-free vulnerability in Chrome Dawn via patching to version 140.0.7339.185 or later.
Implements memory protection mechanisms that directly mitigate use-after-free heap corruption by preventing unauthorized code execution from exploited memory errors.
Enforces process isolation, such as Chrome's renderer sandboxing, to contain potential arbitrary code execution from heap corruption within unprivileged processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome Dawn enables drive-by compromise via crafted HTML page (T1189) and client-side exploitation for code execution (T1203).
NVD Description
Use after free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-10500 is a use-after-free vulnerability (CWE-416) in Dawn within Google Chrome versions prior to 140.0.7339.185. This flaw enables a remote attacker to potentially exploit heap corruption through a crafted HTML page. The issue carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact.
A remote attacker can exploit this vulnerability over the network with low attack complexity and no required privileges, though it depends on user interaction such as visiting a malicious site. Successful exploitation could lead to heap corruption, granting high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution or similar compromise of the browser process.
Google addressed the vulnerability in Chrome stable channel version 140.0.7339.185. Users should update to this version or later to mitigate the issue. Additional details are provided in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html and the Chromium issue tracker at https://issues.chromium.org/issues/435875050.
Details
- CWE(s)