CVE-2025-1919
Published: 05 March 2025
Summary
CVE-2025-1919 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability by requiring timely application of the Chrome patch to version 134.0.6998.35.
Implements memory protections such as address space layout randomization and stack guards to minimize the impact of out-of-bounds read exploits in the Media component.
Enforces process isolation via browser sandboxing to contain exploitation of media parsing flaws within renderer processes, limiting potential remote code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read in Chrome's Media component via crafted HTML directly enables Drive-by Compromise (T1189) through malicious website visits and Exploitation for Client Execution (T1203) in a client application.
NVD Description
Out of bounds read in Media in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2025-1919 is an out-of-bounds read vulnerability (CWE-125) in the Media component of Google Chrome versions prior to 134.0.6998.35. It enables a remote attacker to potentially perform out-of-bounds memory access through a crafted HTML page. The issue carries a Chromium security severity rating of Medium and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high potential impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website, as it requires user interaction but no special privileges. Successful exploitation could lead to high-impact outcomes, including unauthorized access to sensitive memory contents, code execution, or system crashes, depending on the attacker's crafted payload and the victim's system.
Google addressed this vulnerability in Chrome version 134.0.6998.35 via the stable channel update for desktop, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/392375312. Security practitioners should advise users to update to the patched version immediately.
Details
- CWE(s)