Trending

News

Google Issues Critical Security Patch for Chrome to Fix ‘Use After Free’ Vulnerability

Listen to this article

Google has released an urgent security update for its Chrome browser to address a critical vulnerability in its Site Isolation feature, classified as a high-severity “Use After Free” (UAF) flaw.

Details of the Vulnerability (CVE-2025-3066)
Tracked as CVE-2025-3066, the flaw arises from improper memory management within the Site Isolation mechanism—a security feature designed to defend against side-channel attacks like Spectre by running each website in a separate process.

“Use After Free” vulnerabilities occur when a program accesses memory after it has been released. This creates a window for attackers to manipulate that memory, potentially leading to memory corruption and execution of malicious code.

In this case, the UAF issue could allow an attacker to break out of Chrome’s sandbox, potentially gaining the ability to execute arbitrary code with the same privileges as the Chrome browser process—effectively taking control of the system.

Discovery and Response
Security researcher Sven Dysthe (@svn-dys) reported the vulnerability to Google on March 21, 2025. In recognition of the discovery, Google awarded a $4,000 bug bounty.

As part of its standard protocol for handling critical vulnerabilities, Google is withholding full technical details until the majority of users have applied the security update, minimizing the risk of exploitation.

Summary of CVE-2025-3066

  • Type: Use After Free
  • Component: Site Isolation
  • Impact: Remote Code Execution
  • Severity: High
  • Reported by: Sven Dysthe (@svn-dys)
  • Bounty Awarded: $4,000
  • Date Reported: March 21, 2025

Users are strongly encouraged to update their Chrome browsers immediately to ensure protection against potential attacks leveraging this flaw.

The summary of the vulnerability is given below:

Risk FactorsDetails
Affected ProductsGoogle Chrome prior to 135.0.7049.84/.85 for Windows and Mac, and prior to 135.0.7049.84 for Linux
ImpactRemote Code Execution (RCE)
Exploit PrerequisitesUser must visit a maliciously crafted webpage- No privileges required- Exploitable over a network
CVSS 3.1 Score8.8 (High Severity)

According to security experts, exploiting this vulnerability would likely involve a specially crafted webpage embedded with malicious JavaScript code designed to corrupt memory.

When a user visits such a page, the exploit could manipulate freed memory, potentially allowing the attacker to execute arbitrary code on the system.

This could be used to deploy malware, exfiltrate sensitive data, or establish long-term access to compromised devices.

Mitigation and Update Availability

Google has released a fix in Chrome version 135.0.7049.84/.85 for Windows and Mac, and 135.0.7049.84 for Linux. The update is being rolled out progressively over the coming days and weeks.

To check your current version and update manually, navigate to chrome://settings/help in your browser’s address bar.

Security professionals strongly advise all Chrome users to update to the latest version as soon as possible. Organizations, in particular, should prioritize this update on systems handling sensitive data or operating with elevated privileges.
Cyberkitera

Cyberkitera is a premier cybersecurity publishing platform dedicated to providing the latest insights, expert security tips, and news across all areas of cybersecurity. Our mission is to empower individuals and businesses with knowledge to prevent cyber threats, stay informed about emerging trends, and safeguard their digital assets. From industry updates to practical advice on protecting against cyber attacks, Cyberkitera is your trusted source for staying ahead in the ever-evolving world of cybersecurity.

view all posts

Related Posts

Post Comment

You May Have Missed