Cyber Resilience

CVE-2025-2476

High

Published: 19 March 2025

Published
19 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1065 93.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2476 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

The vulnerability is a use-after-free flaw in the Lens component of Google Chrome, present in versions prior to 134.0.6998.117. It is tracked as CVE-2025-2476, carries a CVSS 3.1 score of 8.8, and is classified under CWE-416, with Chromium assigning it critical severity because successful exploitation can result in heap corruption.

A remote attacker can trigger the issue by convincing a user to visit a specially crafted HTML page, after which the flaw may be exploited to corrupt heap memory and potentially execute arbitrary code or cause other impacts within the browser process.

The official Chrome stable-channel update released on 19 March 2025 addresses the issue by updating to version 134.0.6998.117; the corresponding Chromium bug tracker entry provides additional technical detail on the fix. The EPSS score rose from a low baseline to a recorded peak of 0.1642 before settling at the current value of 0.1065, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Chrome browser via crafted HTML page directly enables drive-by compromise (T1189) upon user visit to malicious site and exploitation for client execution (T1203) leading to heap corruption and potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9923Same product: Google Chrome
CVE-2026-9941Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome
CVE-2026-8581Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2026-8549Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome
CVE-2025-2136Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2026-6360Same product: Google Chrome

Affected Assets

google
chrome
≤ 134.0.6998.117

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws like the use-after-free in Chrome's Lens component via timely patching to version 134.0.6998.117.

prevent

Implements memory protection mechanisms such as ASLR and DEP to mitigate exploitation of heap corruption resulting from the use-after-free vulnerability.

prevent

Enforces process isolation through browser sandboxing to contain potential impacts of Lens component exploitation via crafted HTML pages.

References