Cyber Posture

CVE-2025-1918

High

Published: 05 March 2025

Published
05 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0066 71.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1918 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation ensures patching of the out-of-bounds read vulnerability in PDFium by updating Google Chrome to version 134.0.6998.35 or later.

SI-16 Memory Protection partial match
prevent

Memory protection controls like ASLR and stack canaries mitigate exploitation of out-of-bounds memory access in PDFium processing crafted PDFs.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning identifies systems running vulnerable Google Chrome versions prior to 134.0.6998.35 affected by the PDFium flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

The vulnerability is an out-of-bounds read in PDFium triggered by a crafted PDF file requiring user interaction to open in Chrome, directly enabling exploitation through user execution of a malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Out of bounds read in PDFium in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. (Chromium security severity: Medium)

Deeper analysisAI

CVE-2025-1918 is an out-of-bounds read vulnerability (CWE-125) in the PDFium component of Google Chrome prior to version 134.0.6998.35. Published on 2025-03-05, it allows a remote attacker to potentially perform out-of-bounds memory access via a crafted PDF file. Chromium rates the severity as Medium.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A remote attacker requires no privileges and can exploit it over the network with low attack complexity, though user interaction is needed, such as convincing a user to open a malicious PDF file in Chrome. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability.

Google's Chrome Releases blog announces the patch in the stable channel update for desktop at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html, with details tracked in the Chromium issue at https://issues.chromium.org/issues/388557904. Mitigation requires updating to Chrome 134.0.6998.35 or later.

Details

CWE(s)
CWE-125

Affected Products

google
chrome
≤ 134.0.6998.35

CVEs Like This One

CVE-2025-1914Same product: Google Chrome
CVE-2025-0612Same product: Google Chrome
CVE-2025-0437Same product: Google Chrome
CVE-2025-1919Same product: Google Chrome
CVE-2025-2137Same product: Google Chrome
CVE-2026-6361Same product: Google Chrome
CVE-2025-0762Same product: Google Chrome
CVE-2026-6363Same product: Google Chrome
CVE-2026-0628Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome

References