CVE-2025-8901
Published: 13 August 2025
Summary
CVE-2025-8901 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, correction, and testing of the out-of-bounds write flaw in Chrome's ANGLE component via patching to version 139.0.7258.127 or later.
Ensures receipt and implementation of vendor security advisories, such as Chrome Releases blog updates, to address this specific high-severity vulnerability promptly.
Implements memory protection mechanisms that hinder exploitation of out-of-bounds write vulnerabilities through techniques like DEP and ASLR in the browser context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in Chrome/ANGLE enables drive-by browser exploitation via malicious HTML (T1189) and direct client-side code execution (T1203).
NVD Description
Out of bounds write in ANGLE in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-8901 is an out-of-bounds write vulnerability (CWE-787) in the ANGLE graphics component integrated into Google Chrome versions prior to 139.0.7258.127. The flaw allows out-of-bounds memory access when rendering a crafted HTML page, earning a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by luring a user to visit a malicious website containing the crafted HTML page, requiring user interaction such as clicking or loading the page. No special privileges are needed, and the low attack complexity enables broad potential reach. Successful exploitation could result in high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or system crashes within the browser context.
Mitigation is available via the Google Chrome stable channel update to version 139.0.7258.127 or later, as announced in the Chrome Releases blog post and detailed in the associated Chromium issue tracker entry (issues/435139154). Security practitioners should prioritize updating affected Chrome installations and advise users to enable automatic updates.
Details
- CWE(s)