CVE-2025-9132
Published: 20 August 2025
Summary
CVE-2025-9132 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-9132 is an out-of-bounds write vulnerability (CWE-787) in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 139.0.7258.138. This flaw enables potential heap corruption when processing a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards. It was published on 2025-08-20.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing a specially crafted HTML page. No user privileges or special access are required beyond the victim's interaction, such as clicking a link or loading the page. Successful exploitation could lead to heap corruption, potentially allowing arbitrary code execution, data tampering, or system compromise with high impacts on confidentiality, integrity, and availability.
Mitigation is addressed in the Google Chrome stable channel update to version 139.0.7258.138 and later, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_19.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/436181695. Security practitioners should prioritize updating affected Chrome installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25411
Vulnerability details
Out of bounds write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in browser JS engine enables drive-by compromise via crafted HTML page and direct client-side exploitation for code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws like the out-of-bounds write in Chrome's V8 engine through patching to version 139.0.7258.138 or later.
Implements memory protections such as bounds checking and stack canaries to directly counter heap corruption from out-of-bounds writes in V8.
Enables vulnerability scanning to identify and prioritize remediation of affected Chrome versions vulnerable to this specific CVE.