CVE-2025-2476
Published: 19 March 2025
Summary
CVE-2025-2476 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Deeper analysis
The vulnerability is a use-after-free flaw in the Lens component of Google Chrome, present in versions prior to 134.0.6998.117. It is tracked as CVE-2025-2476, carries a CVSS 3.1 score of 8.8, and is classified under CWE-416, with Chromium assigning it critical severity because successful exploitation can result in heap corruption.
A remote attacker can trigger the issue by convincing a user to visit a specially crafted HTML page, after which the flaw may be exploited to corrupt heap memory and potentially execute arbitrary code or cause other impacts within the browser process.
The official Chrome stable-channel update released on 19 March 2025 addresses the issue by updating to version 134.0.6998.117; the corresponding Chromium bug tracker entry provides additional technical detail on the fix. The EPSS score rose from a low baseline to a recorded peak of 0.1642 before settling at the current value of 0.1065, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6763
Vulnerability details
Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome browser via crafted HTML page directly enables drive-by compromise (T1189) upon user visit to malicious site and exploitation for client execution (T1203) leading to heap corruption and potential RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of flaws like the use-after-free in Chrome's Lens component via timely patching to version 134.0.6998.117.
Implements memory protection mechanisms such as ASLR and DEP to mitigate exploitation of heap corruption resulting from the use-after-free vulnerability.
Enforces process isolation through browser sandboxing to contain potential impacts of Lens component exploitation via crafted HTML pages.