Cyber Resilience

CVE-2025-1916

High

Published: 05 March 2025

Published
05 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1916 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1916 is a use-after-free vulnerability (CWE-416) in the Profiles component of Google Chrome prior to version 134.0.6998.35. Published on 2025-03-05, it enables potential heap corruption via a crafted HTML page when exploited through a malicious extension. The issue carries a Chromium security severity of Medium and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker who convinces a user to install a malicious browser extension can exploit this vulnerability. With the extension in place, a crafted HTML page triggers the use-after-free, potentially allowing heap corruption that compromises confidentiality, integrity, and availability with high impact, though it requires user interaction and has low attack complexity over the network with no privileges needed.

Google addressed this vulnerability in Chrome stable channel version 134.0.6998.35, as documented in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/376493203. Security practitioners should prioritize updating affected systems to this version or later to mitigate the risk.

EU & UK References

Vulnerability details

Use after free in Profiles in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Chrome browser (client application) exploited via crafted HTML page and malicious extension enables code execution in client software.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6319Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome
CVE-2025-0762Same product: Google Chrome
CVE-2026-9923Same product: Google Chrome
CVE-2026-9941Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome
CVE-2026-8581Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2026-8580Same product: Google Chrome

Affected Assets

google
chrome
≤ 134.0.6998.35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the use-after-free vulnerability by patching to Chrome 134.0.6998.35 or later, directly eliminating the flaw.

prevent

Prohibits or controls user installation of malicious browser extensions required as a prerequisite to trigger the vulnerability via crafted HTML pages.

prevent

Implements memory protections such as ASLR and heap isolation to mitigate exploitation of heap corruption from the use-after-free in Chrome's Profiles component.

References