{"id":6102,"date":"2025-08-13T10:03:34","date_gmt":"2025-08-13T10:03:34","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/13\/multiple-chrome-high-severity-vulnerabilities-let-attackers-execute-arbitrary-code\/"},"modified":"2025-08-13T10:03:34","modified_gmt":"2025-08-13T10:03:34","slug":"multiple-chrome-high-severity-vulnerabilities-let-attackers-execute-arbitrary-code","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/13\/multiple-chrome-high-severity-vulnerabilities-let-attackers-execute-arbitrary-code\/","title":{"rendered":"Multiple Chrome High-Severity Vulnerabilities Let Attackers Execute Arbitrary Code"},"content":{"rendered":"

Multiple Chrome High-Severity Vulnerabilities Let Attackers Execute Arbitrary Code
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Google Chrome has released a critical security update addressing six vulnerabilities that could potentially enable arbitrary code execution on affected systems.\u00a0<\/p>\n

The stable channel update to version 139.0.7258.127\/.128 for Windows and Mac, and 139.0.7258.127 for Linux, contains patches for multiple high-severity security flaws that pose significant risks to user data and system integrity.<\/p>\n

Key Takeaways<\/mark><\/strong>
1. Chrome fixes six vulnerabilities, including three that enable code execution.
2. Affects V8 engine and graphics - allows malicious code execution.
3. Update Chrome now via Settings > About Chrome.<\/pre>\n
High-Severity Vulnerabilities Addressed<\/strong><\/h2>\n
The security update targets three high-severity vulnerabilities<\/a> that could lead to arbitrary code execution.\u00a0<\/p>\n
CVE-2025-8879 represents a heap buffer overflow vulnerability<\/a> in the libaom library, which handles video encoding and decoding operations.\u00a0<\/p>\n
This type of vulnerability allows attackers to write data beyond allocated memory boundaries, potentially overwriting critical system information.<\/p>\n
CVE-2025-8880 addresses a race condition in Google\u2019s V8 JavaScript engine, reported by security researcher Seunghyun Lee.\u00a0<\/p>\n
Race conditions occur when multiple processes attempt to access shared resources simultaneously, creating unpredictable behavior that attackers can exploit.\u00a0<\/p>\n
The third high-severity flaw, CVE-2025-8901, involves an out-of-bounds write vulnerability in ANGLE (Almost Native Graphics Layer Engine), which translates OpenGL ES API calls to hardware-supported APIs.<\/p>\n
Chrome\u2019s security team utilized multiple advanced detection methodologies to identify these vulnerabilities, including AddressSanitizer for detecting memory corruption bugs, MemorySanitizer for uninitialized memory reads, and UndefinedBehaviorSanitizer for catching undefined behavior in C\/C++ code.\u00a0<\/p>\n
The update also incorporates Control Flow Integrity mechanisms and findings from libFuzzer and AFL (American Fuzzy Lop) testing frameworks.<\/p>\n
Medium- Severity Vulnerabilities Addressed<\/strong><\/h2>\n
Additional medium-severity vulnerabilities were also patched, including CVE-2025-8881, which addresses inappropriate implementation in the File Picker component, and CVE-2025-8882, a use-after-free vulnerability in the Aura windowing system.\u00a0<\/p>\n
Use-after-free vulnerabilities occur when programs continue to use memory after it has been freed, leading to potential code execution opportunities.<\/p>\n
\n\n\n\n\n\n\n\n\n
CVE ID<\/strong><\/td>\nTitle<\/strong><\/td>\nSeverity<\/strong><\/td>\n<\/tr>\n
CVE-2025-8879<\/td>\nHeap buffer overflow in libaom<\/td>\nHigh<\/td>\n<\/tr>\n
CVE-2025-8880<\/td>\nRace in V8<\/td>\nHigh<\/td>\n<\/tr>\n
CVE-2025-8901<\/td>\nOut of bounds write in ANGLE<\/td>\nHigh<\/td>\n<\/tr>\n
CVE-2025-8881<\/td>\nInappropriate implementation in File Picker<\/td>\nMedium<\/td>\n<\/tr>\n
CVE-2025-8882<\/td>\nUse after free in Aura<\/td>\nMedium<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Mitigations<\/strong><\/h2>\n
These vulnerabilities collectively present serious security risks, as heap buffer overflows and race conditions in core browser components can be exploited to execute malicious code with browser privileges.\u00a0<\/p>\n
The automatic rollout<\/a> will occur over the coming days and weeks, but users should manually update Chrome through Settings > About Chrome.<\/p>\n
System administrators should prioritize this update deployment, particularly in enterprise environments where browsers process sensitive data.\u00a0<\/p>\n
The Chrome team\u2019s collaboration with external security researchers, including anonymous contributors and Google\u2019s Big Sleep project, demonstrates the ongoing effort to identify and remediate security vulnerabilities before they reach stable release channels.<\/p>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n
The post Multiple Chrome High-Severity Vulnerabilities Let Attackers Execute Arbitrary Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Multiple Chrome High-Severity Vulnerabilities Let Attackers Execute Arbitrary Code Google Chrome has released a critical security update addressing six vulnerabilities that could potentially enable arbitrary code execution on affected systems.\u00a0 The stable channel update to version 139.0.7258.127\/.128 for Windows and Mac, and 139.0.7258.127 for Linux, contains patches for multiple high-severity security flaws that pose significant […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-6102","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6102"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6102"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6102\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}