CVE-2025-10502
Published: 24 September 2025
Summary
CVE-2025-10502 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, directly addressing this heap buffer overflow by mandating installation of the Chrome patch to version 140.0.7339.185 or later.
Implements memory protection safeguards such as ASLR and DEP that directly mitigate heap buffer overflow exploits by preventing unauthorized code execution from corrupted memory.
Enables vulnerability scanning to identify the presence of this specific unpatched Chrome ANGLE vulnerability, facilitating prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in Chrome ANGLE/WebGL enables drive-by compromise via malicious webpage and direct client-side code execution in renderer process.
NVD Description
Heap buffer overflow in ANGLE in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-10502 is a heap buffer overflow vulnerability (CWE-122) in the ANGLE graphics component of Google Chrome versions prior to 140.0.7339.185. ANGLE, which provides OpenGL ES support for WebGL rendering, mishandles certain inputs, leading to potential heap corruption. The issue carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or processing crafted network traffic that triggers the buffer overflow in ANGLE. Exploitation requires user interaction, such as loading a malicious webpage, but needs no special privileges. Successful exploitation could allow arbitrary code execution with the privileges of the Chrome renderer process, potentially compromising confidentiality, integrity, and availability (C:H/I:H/A:H).
Mitigation is addressed in the Chrome stable channel update announced on the Chrome Releases blog, which patches the vulnerability in version 140.0.7339.185 and later. Additional details are available in the associated Chromium issue tracker. Security practitioners should advise users to update Google Chrome immediately to the latest version.
Details
- CWE(s)