CVE-2025-9478
Published: 26 August 2025
Summary
CVE-2025-9478 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability by requiring timely application of the Chrome patch to version 139.0.7258.154 or later.
Mitigates heap corruption from use-after-free exploits through memory protection mechanisms like ASLR, DEP, and address sanitization.
Limits impact of renderer process exploitation by isolating Chrome rendering processes in a sandboxed execution domain.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome renderer enables drive-by compromise via malicious HTML page and direct client-side code execution.
NVD Description
Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Deeper analysisAI
CVE-2025-9478 is a use-after-free vulnerability (CWE-416) in the ANGLE graphics component within Google Chrome versions prior to 139.0.7258.154. This flaw allows heap corruption when processing a crafted HTML page, as reported with a Chromium security severity rating of Critical. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, requiring no privileges but necessitating user interaction. Successful exploitation could enable heap corruption, potentially leading to arbitrary code execution with the privileges of the Chrome renderer process, compromising confidentiality, integrity, and availability.
Google's Chrome Releases stable channel update addresses the vulnerability in version 139.0.7258.154 and later, as detailed in the advisory at https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_26.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/437825940. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)