CVE-2025-9132 is a high-severity vulnerability affecting the V8 JavaScript engine in Google Chrome versions prior to 139.0.7258.138. It involves an out-of-bounds write that could lead to heap corruption or arbitrary remote code execution through a crafted HTML page.  

Background

This vulnerability was detected and reported by Google Big Sleep which is an advanced AI tool designed to detect vulnerabilities before they get exploited.  

As of August 21, 2025, technical information remains limited and confidential. No proof of concept has been published, and there is currently no evidence of exploitation in the wild. 

Several out-of-bounds vulnerabilities have been discovered and disclosed in V8. Below is a list of similar vulnerabilities, however; as details are limited, it is difficult to determine how closely related they are. 

  • CVE-2024-0517 - Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 
  • CVE-2024-0519 - Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 
  • CVE-2025-5419 - Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 

Affected Versions 

  • Any Chrome version below 139.0.7258.138, across all major platforms (Windows, macOS, and Linux).  
  • Specific fixes began rolling out on August 19, 2025: 
  • Windows/macOS: Chrome 139.0.7258.138/.139 
  • Linux: 139.0.7258.138  

Technical Impact 

  • Root cause: A memory write occurs beyond the bounds of an allocated buffer in the V8 engine (CWE787), enabling heap corruption.  
  • Potential consequences include: 
  • Browser crashes or Denial of Service (DoS) 
  • Bypass of sandbox protections 
  • Remote Code Execution (RCE)  

The CVSS v3.1 score is 8.8 (High), reflecting the severity and ease of exploitation in remote contexts without authentication.  

 

Timeline of Events 

  • August 4, 2025: Detected by Google’s AI-powered vulnerability detection tool, Big Sleep 
  • August 19, 2025: Security patch released and deployed to users.  
  • August 20, 2025: CVE details published and recognized by NVD, Nessus, Qualys, and security databases.  

IRNEW

Recommended Mitigation Steps 

  1. Immediate Update
  • Ensure your Chrome browser is updated to version 139.0.7258.138 or later. 
  • To verify or update: 
  1. Open Chrome → navigate to chrome://settings/help, or 
  1. Select HelpAbout Google Chrome to trigger automatic update. 
  1. Enterprise Rollouts
  • Apply the update across managed environments—Windows, macOS, and Linux 
  1. Vulnerability Scanning
  • Use vulnerability scanner tools to detect outdated Chrome installations.  
  1. Security Monitoring
  • Monitor for unusual browser behaviour, suspicious HTML payloads served over web connections, or abnormal process terminations. 
  1. User Awareness
  • Educating users on the importance of updates 
  • Discourage installation of untrusted browser extensions or visiting suspicious sites. 

 Final Thoughts 

This vulnerability underscores the high stakes of memory corruption flaws in widely used infrastructure like browser engines. Given the ease and potential impact of exploitation, immediate patching is critical.  

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touchto find out how you can protect your organisation. 

Contact Us