Cyber Posture

CVE-2025-1916

High

Published: 05 March 2025

Published
05 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1916 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the use-after-free vulnerability by patching to Chrome 134.0.6998.35 or later, directly eliminating the flaw.

CM-11 User-installed Software good match
prevent

Prohibits or controls user installation of malicious browser extensions required as a prerequisite to trigger the vulnerability via crafted HTML pages.

SI-16 Memory Protection partial match
prevent

Implements memory protections such as ASLR and heap isolation to mitigate exploitation of heap corruption from the use-after-free in Chrome's Profiles component.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Use-after-free in Chrome browser (client application) exploited via crafted HTML page and malicious extension enables code execution in client software.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Use after free in Profiles in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Deeper analysisAI

CVE-2025-1916 is a use-after-free vulnerability (CWE-416) in the Profiles component of Google Chrome prior to version 134.0.6998.35. Published on 2025-03-05, it enables potential heap corruption via a crafted HTML page when exploited through a malicious extension. The issue carries a Chromium security severity of Medium and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker who convinces a user to install a malicious browser extension can exploit this vulnerability. With the extension in place, a crafted HTML page triggers the use-after-free, potentially allowing heap corruption that compromises confidentiality, integrity, and availability with high impact, though it requires user interaction and has low attack complexity over the network with no privileges needed.

Google addressed this vulnerability in Chrome stable channel version 134.0.6998.35, as documented in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/376493203. Security practitioners should prioritize updating affected systems to this version or later to mitigate the risk.

Details

CWE(s)
CWE-416

Affected Products

google
chrome
≤ 134.0.6998.35

CVEs Like This One

CVE-2025-0762Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2026-6319Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2025-2136Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome
CVE-2025-2476Same product: Google Chrome

References