CVE-2025-2476
Published: 19 March 2025
Summary
CVE-2025-2476 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of flaws like the use-after-free in Chrome's Lens component via timely patching to version 134.0.6998.117.
Implements memory protection mechanisms such as ASLR and DEP to mitigate exploitation of heap corruption resulting from the use-after-free vulnerability.
Enforces process isolation through browser sandboxing to contain potential impacts of Lens component exploitation via crafted HTML pages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome browser via crafted HTML page directly enables drive-by compromise (T1189) upon user visit to malicious site and exploitation for client execution (T1203) leading to heap corruption and potential RCE.
NVD Description
Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Deeper analysisAI
CVE-2025-2476 is a use-after-free vulnerability (CWE-416) in the Lens component of Google Chrome prior to version 134.0.6998.117. This flaw allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as Critical by Chromium security severity standards.
A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a malicious site hosting the crafted HTML page. User interaction, such as visiting the page, is required for successful exploitation. If exploited, the attacker could achieve high confidentiality, integrity, and availability impacts through heap corruption.
Google addressed CVE-2025-2476 in the stable channel update for Chrome desktop, released as version 134.0.6998.117, as announced in the Chrome Releases blog (https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_19.html). Further technical details are available in the Chromium issue tracker (https://issues.chromium.org/issues/401029609). Security practitioners should prioritize updating affected Chrome installations to mitigate this risk.
Details
- CWE(s)