Overview

A critical security vulnerability, identified as CVE-2025-4372, has been discovered in the WebAudio component of the Chromium browser engine. This flaw affects both Google Chrome and Microsoft Edge browsers, potentially allowing remote attackers to execute arbitrary code on affected systems.

Technical Details

The vulnerability is classified as a "use-after-free" (UAF) issue within the WebAudio API. UAF vulnerabilities occur when a program continues to use a pointer after it has been freed, leading to undefined behavior and potential security risks. In this case, the flaw resides in the INLINECODE0 component, which wasn't properly managed, allowing attackers to manipulate freed memory addresses to execute arbitrary code. (cybersecuritynews.com)

Discovery and Disclosure

The vulnerability was discovered by Huang Xilin of Ant Group Light-Year Security Lab and reported to Google on April 20, 2025. As part of Google's vulnerability rewards program, Huang received a $7,000 bounty for the discovery. (cybersecuritynews.com)

Affected Versions

  • Google Chrome: Versions prior to 136.0.7103.92
  • Microsoft Edge: Versions prior to 136.0.3240.64

Users running these versions are at risk and should update their browsers immediately.

Severity and Impact

While Google categorized the vulnerability's severity as "Medium," several security vendors, including Tenable, have rated it as "High" with a CVSS base score of 8.8. The vulnerability allows remote attackers to exploit heap corruption via a crafted HTML page, potentially leading to arbitrary code execution. (tenable.com)

Mitigation and Recommendations

To address this vulnerability, users are strongly advised to:

  1. Update Browsers: Ensure that Google Chrome is updated to version 136.0.7103.92 or later, and Microsoft Edge to version 136.0.3240.64 or later.
  2. Enable Automatic Updates: Keep automatic updates enabled to receive security patches promptly.
  3. Exercise Caution: Avoid visiting untrusted websites or clicking on suspicious links, as these could be vectors for exploitation.

Historical Context

This is not the first time the WebAudio component has been targeted. Similar vulnerabilities, such as CVE-2023-6345 and CVE-2024-0224, were discovered in previous versions, highlighting the consistent security challenges posed by complex audio processing in web browsers. (nvd.nist.gov, nvd.nist.gov)

Conclusion

The discovery of CVE-2025-4372 underscores the importance of regular software updates and vigilance in cybersecurity practices. Users and organizations must prioritize timely updates and adhere to best practices to mitigate potential threats arising from such vulnerabilities.