CVE-2025-1914
Published: 05 March 2025
Summary
CVE-2025-1914 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like the out-of-bounds read in Chrome's V8 engine through patching to version 134.0.6998.35 or later.
Requires receiving and acting on vendor security advisories, such as Chrome release notes, to apply fixes for high-severity vulnerabilities like CVE-2025-1914.
Enables vulnerability scanning to identify systems running vulnerable Chrome versions prior to exploitation via crafted HTML pages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Chrome V8 enables exploitation via malicious website/HTML page visit, directly mapping to drive-by compromise for initial access and client application exploitation for code execution/memory access.
NVD Description
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-1914 is an out-of-bounds read vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 134.0.6998.35. The flaw, classified under CWE-125 (Out-of-bounds Read), enables a remote attacker to perform out-of-bounds memory access through a specially crafted HTML page. Google rates this as High severity in Chromium security, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring no privileges or special access. Successful exploitation grants high-level access to sensitive memory contents, potentially allowing arbitrary code execution, data leakage, or system crashes within the browser's sandboxed context.
Mitigation is addressed in the Chrome Stable Channel update, as detailed in the official release notes at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html, which patches the issue in version 134.0.6998.35 and later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/397731718. Security practitioners should prioritize updating affected Chrome installations to prevent exploitation.
Details
- CWE(s)