CVE-2025-10891
Published: 24 September 2025
Summary
CVE-2025-10891 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires organizations to identify, report, prioritize, and remediate flaws like the V8 integer overflow in Chrome prior to version 140.0.7339.207 via timely vendor patches.
Mandates vulnerability scanning to identify and address systems running vulnerable Chrome versions exploitable by crafted HTML pages.
Implements memory protections such as ASLR and DEP to mitigate heap corruption resulting from the V8 integer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables drive-by compromise via crafted malicious HTML/JS page leading to client-side RCE in browser renderer.
NVD Description
Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-10891 is an integer overflow vulnerability (CWE-472) in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 140.0.7339.207. The flaw allows a remote attacker to potentially trigger heap corruption by processing a crafted HTML page, as reported with a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by convincing a user to visit a malicious website or interact with a specially crafted HTML page, requiring no privileges but relying on user interaction. Successful exploitation could lead to arbitrary code execution, including potential remote code execution with the renderer process privileges, enabling high-impact confidentiality, integrity, and availability violations such as data theft, sandbox escape precursors, or full compromise of the affected browser instance.
Mitigation is addressed in the Google Chrome Stable Channel update announced on the Chrome Releases blog (https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html), which patches the issue in version 140.0.7339.207 and later. Additional details are available in the Chromium issue tracker (https://issues.chromium.org/issues/443765373). Security practitioners should prioritize updating affected Chrome installations and advise users to enable automatic updates.
Details
- CWE(s)