CVE-2025-9132
Published: 20 August 2025
Summary
CVE-2025-9132 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws like the out-of-bounds write in Chrome's V8 engine through patching to version 139.0.7258.138 or later.
Implements memory protections such as bounds checking and stack canaries to directly counter heap corruption from out-of-bounds writes in V8.
Enables vulnerability scanning to identify and prioritize remediation of affected Chrome versions vulnerable to this specific CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in browser JS engine enables drive-by compromise via crafted HTML page and direct client-side exploitation for code execution.
NVD Description
Out of bounds write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-9132 is an out-of-bounds write vulnerability (CWE-787) in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 139.0.7258.138. This flaw enables potential heap corruption when processing a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards. It was published on 2025-08-20.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing a specially crafted HTML page. No user privileges or special access are required beyond the victim's interaction, such as clicking a link or loading the page. Successful exploitation could lead to heap corruption, potentially allowing arbitrary code execution, data tampering, or system compromise with high impacts on confidentiality, integrity, and availability.
Mitigation is addressed in the Google Chrome stable channel update to version 139.0.7258.138 and later, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_19.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/436181695. Security practitioners should prioritize updating affected Chrome installations.
Details
- CWE(s)