CVE-2025-10892
Published: 24 September 2025
Summary
CVE-2025-10892 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of software flaws like the integer overflow in Chrome's V8 engine to prevent heap corruption exploitation.
Implements memory protection mechanisms that mitigate heap corruption resulting from the V8 integer overflow vulnerability.
Enables vulnerability scanning to identify and prioritize remediation of systems running vulnerable Chrome versions affected by CVE-2025-10892.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in V8 JS engine enables RCE via crafted HTML page (drive-by or malicious link), directly mapping to client-side exploitation and user-triggered execution techniques.
NVD Description
Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-10892 is an integer overflow vulnerability in the V8 JavaScript engine within Google Chrome prior to version 140.0.7339.207. The flaw enables a remote attacker to potentially trigger heap corruption via a crafted HTML page. It maps to CWE-190 (Integer Overflow or Wraparound) and CWE-472 (External Control of Critical State Data), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified as High severity by Chromium security standards.
A remote attacker without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as convincing a target to load the malicious HTML page in a browser. Successful exploitation could grant high-impact confidentiality, integrity, and availability compromises, potentially allowing heap corruption that leads to arbitrary code execution or system compromise.
Mitigation is available via the Chrome stable channel update to version 140.0.7339.207 or later, as announced in the Chrome Releases Google Blog and detailed in Chromium issue 444048019. Security practitioners should prioritize updating affected Chrome installations and advise users to enable automatic updates.
Details
- CWE(s)