CVE-2025-12725 Overview
CVE-2025-12725 is an out-of-bounds read vulnerability in the WebGPU component of Google Chrome on Android. The flaw affects Chrome versions prior to 142.0.7444.137 and allows a remote attacker to perform an out-of-bounds memory write through a crafted HTML page. The issue is classified under [CWE-125: Out-of-bounds Read]. Successful exploitation requires user interaction, such as visiting an attacker-controlled web page. Google rates the underlying Chromium security severity as High.
Critical Impact
A remote attacker can trigger out-of-bounds memory access in the renderer process through a malicious web page, potentially leading to arbitrary memory corruption and compromise of the browser process.
Affected Products
- Google Chrome on Android prior to 142.0.7444.137
- Google Chrome desktop builds sharing the affected WebGPU code paths (Windows, macOS, Linux)
- Chromium-based downstream builds incorporating the vulnerable WebGPU implementation
Discovery Timeline
- 2025-11-10 - CVE-2025-12725 published to the National Vulnerability Database
- 2025-11-25 - Last updated in NVD database
Technical Details for CVE-2025-12725
Vulnerability Analysis
The vulnerability resides in WebGPU, the Chromium implementation of the W3C GPU compute and rendering API exposed to web content. WebGPU processes shader programs, buffers, and command encoders supplied by JavaScript running in the renderer. A crafted HTML page can drive WebGPU into reading past the bounds of an allocated buffer, and that out-of-bounds read condition can be steered into an out-of-bounds memory write. The combination converts a read-side weakness into memory corruption inside the renderer process.
Because WebGPU is reachable from any origin without authentication, an attacker only needs the victim to load a malicious page. The vulnerability requires user interaction but no privileges. Memory corruption in the renderer is a common starting point for sandbox escape chains targeting Chrome.
Root Cause
The root cause is missing or incorrect bounds validation on a data structure accessed during WebGPU command processing. The component reads beyond the intended buffer extent, and adjacent state can be modified as a side effect of the malformed access pattern, producing an out-of-bounds write.
Attack Vector
Exploitation is network based and requires the user to open or interact with a crafted HTML page. The attacker delivers JavaScript that constructs specific WebGPU resources and submits commands that trigger the boundary error. No additional privileges are required on the target system.
No public proof-of-concept code is available. Technical details are tracked in the Chromium Issue Tracker Entry.
Detection Methods for CVE-2025-12725
Indicators of Compromise
- Renderer process crashes referencing WebGPU, Dawn, or GPU command buffer modules in Chrome crash telemetry.
- Outbound connections from end-user hosts to untrusted domains immediately followed by Chrome renderer instability.
- Chrome installations reporting versions earlier than 142.0.7444.137 in asset inventory.
Detection Strategies
- Inventory installed Chrome versions across managed endpoints and flag any build below 142.0.7444.137.
- Correlate Chrome crash dump events (chrome.exe, chrome renderer) with browsing history to identify pages triggering WebGPU faults.
- Monitor for unexpected child processes spawned by Chrome renderers, which can indicate post-exploitation activity following a memory corruption primitive.
Monitoring Recommendations
- Enable browser telemetry forwarding to a central log platform and alert on repeated renderer crashes from the same origin.
- Track WebGPU feature usage in enterprise environments through Chrome Enterprise reporting where applicable.
- Review proxy and DNS logs for newly registered or low-reputation domains delivering HTML content to users on outdated Chrome builds.
How to Mitigate CVE-2025-12725
Immediate Actions Required
- Update Google Chrome on Android to version 142.0.7444.137 or later, and update desktop Chrome to the corresponding Stable channel release.
- Push the update through mobile device management and enterprise browser management policies to enforce compliance.
- Restart the browser on all endpoints after deployment to ensure the patched binary is loaded.
Patch Information
Google addressed the issue in the Chrome Stable channel update announced on the Google Chrome Update Announcement. Users on Android must install Chrome 142.0.7444.137 or later from Google Play. Chromium-based browsers should apply the corresponding upstream fix tracked in the Chromium Issue Tracker Entry.
Workarounds
- Disable WebGPU via the chrome://flags/#enable-unsafe-webgpu flag and enterprise policy where the feature is not required.
- Restrict access to untrusted web content using URL filtering, DNS filtering, or secure web gateway controls until patching is complete.
- Apply the principle of least functionality by limiting hardware-accelerated graphics features on managed mobile fleets where business workflows do not depend on them.
# Verify Chrome version on Android via adb
adb shell dumpsys package com.android.chrome | grep versionName
# Expected output should show versionName=142.0.7444.137 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
