CVE-2025-14766
Published: 16 December 2025
Summary
CVE-2025-14766 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and patching of known flaws like the V8 out-of-bounds vulnerability in Chrome.
Implements memory protection safeguards such as ASLR and DEP to prevent successful heap corruption from out-of-bounds reads and writes.
Requires vulnerability scanning to identify and prioritize remediation of unpatched Chrome instances affected by this V8 flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read/write in Chrome's V8 engine enables heap corruption and arbitrary code execution via crafted HTML page, directly facilitating drive-by compromise through malicious websites and client-side exploitation.
NVD Description
Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-14766 is an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 143.0.7499.147. This flaw, classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), enables heap corruption when processing a crafted HTML page. The Chromium security team rates it as High severity, with a CVSS v3.1 base score of 8.8.
A remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, though it necessitates user interaction such as visiting a malicious site. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution through heap corruption without changing the security scope.
Chrome's stable channel update advisory and the associated Chromium issue tracker detail mitigation through upgrading to version 143.0.7499.147 or later, which addresses the V8 defects. Security practitioners should prioritize patching affected Chrome installations and advise users to enable automatic updates.
Details
- CWE(s)