CVE-2025-8292
Published: 30 July 2025
Summary
CVE-2025-8292 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 36.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-8292 is a use-after-free vulnerability (CWE-416) in the Media Stream component of Google Chrome prior to version 138.0.7204.183. Published on 2025-07-30, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security rates it as High severity with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a remote attacker with no privileges over the network and low attack complexity, though it requires user interaction such as visiting a malicious site. Successful exploitation could achieve high impacts on confidentiality, integrity, and availability, potentially allowing heap corruption that leads to arbitrary code execution.
Google's stable channel update for Chrome desktop, announced at https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_29.html, patches the issue in version 138.0.7204.183. Further details are available in the Chromium issue tracker at https://issues.chromium.org/issues/426054987. Mitigation involves updating affected Chrome installations to 138.0.7204.183 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23135
Vulnerability details
Use after free in Media Stream in Google Chrome prior to 138.0.7204.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome Media Stream enables RCE via crafted HTML page, directly mapping to drive-by compromise and malicious link user execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identifying, reporting, and correcting the use-after-free flaw in Chrome's Media Stream by patching to version 138.0.7204.183 or later.
Implements memory protections to prevent unauthorized code execution from heap corruption caused by the use-after-free vulnerability.
Enables vulnerability scanning to identify systems running vulnerable Chrome versions prior to 138.0.7204.183.