Cyber Resilience

CVE-2025-14766

High

Published: 16 December 2025

Published
16 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14766 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-14766 is an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 143.0.7499.147. This flaw, classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), enables heap corruption when processing a crafted HTML page. The Chromium security team rates it as High severity, with a CVSS v3.1 base score of 8.8.

A remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, though it necessitates user interaction such as visiting a malicious site. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution through heap corruption without changing the security scope.

Chrome's stable channel update advisory and the associated Chromium issue tracker detail mitigation through upgrading to version 143.0.7499.147 or later, which addresses the V8 defects. Security practitioners should prioritize patching affected Chrome installations and advise users to enable automatic updates.

EU & UK References

Vulnerability details

Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds read/write in Chrome's V8 engine enables heap corruption and arbitrary code execution via crafted HTML page, directly facilitating drive-by compromise through malicious websites and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7899Same product: Apple Macos
CVE-2026-3920Same product: Apple Macos
CVE-2026-4459Same product: Apple Macos
CVE-2026-5873Same product: Apple Macos
CVE-2026-4440Same product: Apple Macos
CVE-2026-3062Same product: Apple Macos
CVE-2026-0899Same product: Apple Macos
CVE-2026-7902Same product: Apple Macos
CVE-2026-7354Same product: Apple Macos
CVE-2026-9879Same product: Apple Macos

Affected Assets

google
chrome
≤ 143.0.7499.146

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and patching of known flaws like the V8 out-of-bounds vulnerability in Chrome.

prevent

Implements memory protection safeguards such as ASLR and DEP to prevent successful heap corruption from out-of-bounds reads and writes.

detect

Requires vulnerability scanning to identify and prioritize remediation of unpatched Chrome instances affected by this V8 flaw.

References