Google has rolled out a stable-channel update for Chrome that patches CVE-2025-8879, a high-severity heap buffer overflow in the libaom AV1 codec library. The fix landed on August 12, 2025, in Chrome versions 139.0.7258.127/.128 for Windows and macOS and 139.0.7258.127 for Linux, closing a remote code execution vector that could be triggered by maliciously crafted web content. Because Microsoft Edge and other browsers ingest Chromium’s upstream security fixes, Windows users should expect corresponding Edge updates to follow.
What is libaom and why does this matter?
Libaom is the reference open-source implementation of the AV1 video codec, maintained by the Alliance for Open Media. It is the default AV1 decoder inside Chromium-based browsers, used whenever a page serves AV1-encoded video or animated images. Modern websites often decode such media in the background—autoplaying clips, embedded thumbnails, or even WebRTC streams—with no explicit user action. A memory-safety bug in this widely deployed library turns every visit to a malicious page into a potential compromise.
Chromium’s architecture makes codec bugs especially dangerous. Libaom runs inside the browser’s renderer process or, on some platforms, the GPU process. A heap overflow that corrupts adjacent memory can let an attacker hijack control flow, often leading to arbitrary code execution within the sandboxed process. Sandboxing reduces the blast radius, but a full escape chain remains possible with additional exploits. This vulnerability, rated High by both Google and the NVD, demands immediate patching on all endpoints.
CVE-2025-8879 details
- CVE ID: CVE-2025-8879
- Type: Heap buffer overflow (CWE-122)
- Component: libaom (AV1 codec)
- Affected browsers: Chromium-based browsers prior to 139.0.7258.127
- Patch: Chrome stable update 139.0.7258.127/.128, released August 12, 2025
- Reported: July 15, 2025, by an anonymous researcher
- Attack vector: Remote, via crafted HTML/media content that forces libaom to decode malformed AV1 data
Google’s advisory lists CVE-2025-8879 alongside five other security fixes, but it is the only heap overflow in a third-party codec. The Chromium team restricted bug details until the majority of users received the update, a standard practice to reduce the risk of exploit development while patch adoption lags.
Technical analysis: how a libaom heap overflow escalates to code execution
A heap buffer overflow in a multimedia codec typically occurs when the decoder miscalculates buffer sizes or fails to validate compressed‑stream dimensions. In libaom’s case, the vulnerability arises from incorrect boundary checks when processing specially crafted AV1 sequences. An attacker can embed such a sequence inside a web page or a downloadable media file. When the browser parses that content, the corrupted data reaches libaom, which writes past the end of its allocated heap buffer.
The overwritten memory may contain object pointers, vtable entries, or allocation metadata. By carefully shaping the heap via JavaScript or Web Workers, an attacker can turn a simple overflow into a reliable exploit primitive. Once control flow is redirected, the attacker can execute arbitrary code within the renderer’s privileges. In many desktop configurations, that level of access is enough to steal credentials, pivot to other processes, or install persistent malware.
AV1’s growing adoption makes libaom a high-value target. Google, Netflix, YouTube, and many video‑conferencing tools rely on AV1 for bandwidth efficiency. Even when a platform provides its own AV1 decoder, Chromium often defaults to libaom for consistency. This ubiquity means the same vulnerability could be reachable through countless web scenarios, including ad networks, user‑uploaded video, and cross‑origin iframes.
Vendor response and patch rollout
Google Chrome
Google released the patched builds on August 12, 2025, via its stable channel. The update is delivered automatically through Chrome’s built‑in updater. Users can manually trigger it by visiting chrome://settings/help or going to Menu → Help → About Google Chrome. After the update, the version string should read 139.0.7258.127 or higher on Windows and macOS, and 139.0.7258.127 on Linux.
Google’s release notes acknowledge the vulnerability was reported on July 15, 2025, and thank the anonymous researcher. The company also credited its internal memory‑safety tooling—AddressSanitizer, MemorySanitizer, and libFuzzer—for catching additional bugs during the development cycle.
Microsoft Edge and other Chromium browsers
Microsoft Edge is built on Chromium and directly ingests its security patches. The Edge team publicly tracks Chromium fixes and aims to incorporate them into Edge stable builds after integration testing. Historically, Edge updates that include critical Chromium patches arrive within days of the Chrome release. Windows users should check edge://settings/help for pending updates and monitor Microsoft’s security release notes for the build that specifically addresses CVE-2025-8879.
Other Chromium‑based browsers—Brave, Vivaldi, Opera, and un‑branded Chromium builds—will similarly inherit the fix. Administrators of enterprise deployments that use any Chromium‑derived browser should ensure all instances are updated to a version that includes commit logs referencing CVE-2025-8879.
Upstream libaom
Google’s advisory does not explicitly confirm whether the fix was applied directly to the upstream libaom repository or only in Chromium’s bundled fork. For organizations that ship libaom as a shared library (common on Linux distributions and in media‑processing pipelines), it is prudent to assume the upstream code is also vulnerable. Maintainers of those distributions should monitor the Alliance for Open Media’s commit history and apply any corresponding patch as soon as it is available.
Risk assessment and exploitation status
- Severity: High (NVD), with a CVSS base score likely above 8.0 pending final scoring.
- Exploitation in the wild: As of the initial disclosure on August 12, 2025, no active exploitation had been reported by major threat‑intelligence feeds or vulnerability‑management platforms. However, this class of vulnerability historically attracts rapid weaponization. The “no known exploit” status can change within hours, and many attacks go undetected until weeks later.
- Real‑world impact: Successful exploitation can lead to complete compromise of the browser’s integrity, enabling credential theft, session hijacking, or lateral movement. In enterprise environments, a single unpatched endpoint browsing an attacker‑controlled site is enough to breach the network perimeter.
Mitigation and patch guidance
For all users
- Update your browser immediately.
- Chrome: Navigate to chrome://settings/help or Menu → Help → About Google Chrome. If an update is available, install it and restart. Confirm the version is 139.0.7258.127/.128 or later.
- Edge: Go to edge://settings/help to manually check for updates. If Microsoft has released a patched build, install it. Watch for the update if it hasn’t arrived yet. - Verify the fix. After restarting, revisit the About page; the version number should reflect the patched release.
- Limit risky browsing. Until you confirm the update, avoid opening untrusted websites, especially those that serve embedded video or enable autoplay. Be cautious with downloaded media files opened directly in the browser.
For IT administrators and security teams
- Prioritize patch deployment: Push the Chrome update through your endpoint‑management tools immediately. For Edge, roll out the update as soon as Microsoft publishes the corresponding build. Use group policies or MDM to force browser restarts if necessary.
- Staged rollouts: Deploy to a pilot group first to validate compatibility, then accelerate to the full fleet. The risk of waiting for a two‑week testing cycle outweighs the benefit for a high‑severity codec bug.
- EDR signatures: Update detection rules to flag anomalous renderer‑process crashes, unexpected heap‑corruption logs, or repeated AV1‑decoding failures. Several vulnerability scanners—Qualys, Rapid7, and Nessus—already have detection plugins for this CVE.
- Temporary workarounds: In high‑risk environments where immediate patching is impossible, consider disabling AV1 decoding via enterprise policies (e.g.,
--disable‑accelerated‑video‑decodeor blocking the AV1 codec path using GPO). Test thoroughly; disabling codecs may break legitimate media playback. - Monitor threat feeds: Track CVE-2025-8879 on resources like Feedly and vendor security bulletins. The situation can change rapidly if an exploit appears.
Broader implications for the Chromium ecosystem
This vulnerability highlights the systemic risk that shared multimedia libraries pose. The same libaom code runs in browsers, media players, and server‑side transcoding services. When a memory‑safety bug is discovered, dozens of projects must coordinate a fix to prevent downstream lag. The Chromium team’s practice of temporarily restricting bug details is aimed at giving those projects a head start, but it also leaves some vendors in the dark until the public advisory.
For codec maintainers, CVE-2025-8879 reinforces the need for continuous fuzzing and sanitizer‑based testing. The Alliance for Open Media already employs extensive testing frameworks, but as AV1 becomes more widespread, investment in memory‑safe rewrites (perhaps in Rust) or formal verification will become essential.
Browser vendors that integrate Chromium must keep their release cadence tightly aligned with upstream security fixes. A gap of even a few days between Chrome’s patch and Edge’s update can leave millions of users exposed. Microsoft’s published workflow suggests they are aware of the urgency, but enterprises should independently verify and not assume instantaneous parity.
What to watch for next
- Edge patch release: Microsoft’s security update guide and Edge release notes will provide the specific build number that incorporates the Chromium 139.x fixes. Check these pages daily.
- Exploit emergence: Monitor threat‑intelligence providers and the NVD entry for any change in exploitation status. If an in‑the‑wild exploit is confirmed, the urgency level rises to critical.
- Upstream libaom patch: Distro maintainers and self‑built Chromium users should watch for a separate libaom release that backports the fix. The AOMedia blog and the libaom repository are authoritative sources.
- Scanner updates: If you use vulnerability management platforms like Rapid7 or Qualys, ensure your scan definitions are current. Both have published detection coverage for this CVE.
CVE-2025-8879 is a textbook example of how a single bug in a widely used codec can ripple through the entire browser landscape. Applying the Chrome patch, preparing for the Edge update, and maintaining robust monitoring are the only proven defenses. The codec attack surface isn’t going away—AV1 is only getting more popular—so the discipline of rapid patching must become second nature for every organization.