Cyber Posture

CVE-2025-1920

High

Published: 10 March 2025

Published
10 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1920 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of software flaws, directly addressing the type confusion vulnerability in Chrome's V8 engine by applying the patch in version 134.0.6998.88.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Mandates vulnerability scanning to identify systems running vulnerable Google Chrome versions prior to 134.0.6998.88.

SI-16 Memory Protection partial match
prevent

Deploys memory protection mechanisms such as ASLR and DEP to mitigate heap corruption exploitation from the V8 type confusion even on unpatched systems.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Type confusion in V8 JS engine enables remote heap corruption and arbitrary code execution via crafted HTML page in browser, directly facilitating Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2025-1920 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 134.0.6998.88. This flaw enables a remote attacker to potentially trigger heap corruption by means of a crafted HTML page. The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

A remote attacker without privileges can exploit this vulnerability by luring a user into interacting with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could grant high-level impacts on confidentiality, integrity, and availability, potentially allowing heap corruption that leads to arbitrary code execution or other severe compromises within the browser context.

Google has addressed the vulnerability in Chrome stable channel version 134.0.6998.88 and later, as announced in the stable channel update for desktop (https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html). Further technical details are available in the associated Chromium issue tracker (https://issues.chromium.org/issues/398065918). Security practitioners should prioritize updating affected Chrome installations to mitigate this risk.

Details

CWE(s)
CWE-843

Affected Products

google
chrome
≤ 134.0.6998.88

CVEs Like This One

CVE-2026-6363Same product: Google Chrome
CVE-2025-2135Same product: Google Chrome
CVE-2025-0762Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2025-1916Same product: Google Chrome
CVE-2026-2648Same product: Google Chrome
CVE-2026-6319Same product: Google Chrome
CVE-2025-0291Same product: Google Chrome
CVE-2025-12907Same product: Google Chrome

References