Cyber Resilience

CVE-2025-9478

High

Published: 26 August 2025

Published
26 August 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9478 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2025-9478 is a use-after-free vulnerability (CWE-416) in the ANGLE graphics component within Google Chrome versions prior to 139.0.7258.154. This flaw allows heap corruption when processing a crafted HTML page, as reported with a Chromium security severity rating of Critical. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, requiring no privileges but necessitating user interaction. Successful exploitation could enable heap corruption, potentially leading to arbitrary code execution with the privileges of the Chrome renderer process, compromising confidentiality, integrity, and availability.

Google's Chrome Releases stable channel update addresses the vulnerability in version 139.0.7258.154 and later, as detailed in the advisory at https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_26.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/437825940. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.

EU & UK References

Vulnerability details

Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Chrome renderer enables drive-by compromise via malicious HTML page and direct client-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13633Same product: Apple Macos
CVE-2026-3918Same product: Apple Macos
CVE-2026-5877Same product: Apple Macos
CVE-2025-10501Same product: Apple Macos
CVE-2026-9978Same product: Apple Macos
CVE-2026-6302Same product: Apple Macos
CVE-2026-5281Same product: Apple Macos
CVE-2026-5284Same product: Apple Macos
CVE-2026-9952Same product: Apple Macos
CVE-2026-7987Same product: Apple Macos

Affected Assets

google
chrome
≤ 139.0.7258.154

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely application of the Chrome patch to version 139.0.7258.154 or later.

prevent

Mitigates heap corruption from use-after-free exploits through memory protection mechanisms like ASLR, DEP, and address sanitization.

prevent

Limits impact of renderer process exploitation by isolating Chrome rendering processes in a sandboxed execution domain.

References