CVE-2025-12725
Published: 10 November 2025
Summary
CVE-2025-12725 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching of the out-of-bounds read vulnerability in Chrome's WebGPU component to the fixed version 142.0.7444.137.
Implements memory protection mechanisms like ASLR and DEP to prevent exploitation of the out-of-bounds memory read leading to write in WebGPU.
Enforces process isolation through browser sandboxing to contain potential arbitrary code execution from the WebGPU memory corruption within restricted processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a client-side browser flaw exploitable via a crafted HTML page on a malicious website, directly enabling drive-by compromise (T1189) and exploitation for client execution (T1203).
NVD Description
Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-12725 is an out-of-bounds read vulnerability in the WebGPU component of Google Chrome on Android versions prior to 142.0.7444.137. The flaw, classified under CWE-125, enables a remote attacker to perform an out-of-bounds memory write through a crafted HTML page. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as High severity by Chromium security.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page that triggers the WebGPU functionality. No special privileges are required, though user interaction is necessary. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution or system compromise on the affected Android device.
Google addressed the issue in Chrome for Android version 142.0.7444.137. Security practitioners should advise users to update to this version or later. Relevant advisories include the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/443906252.
Details
- CWE(s)