Introduction
Remote attackers could exploit heap corruption in Google Chrome simply by luring users to a malicious web page. The vulnerability, tracked as CVE-2025-10892, affects the V8 JavaScript engine and was patched in Chrome version 140.0.7339.207. With Chrome's massive user base, flaws like this have immediate global impact and are of high interest to both defenders and attackers.
Technical Information
CVE-2025-10892 is an integer overflow vulnerability in the V8 JavaScript engine used by Google Chrome. The flaw is present in all versions prior to 140.0.7339.207. Integer overflows occur when arithmetic operations exceed the maximum value that can be stored in a variable, causing the value to wrap around to zero or a negative number. In the context of V8, this can result in incorrect memory allocation or buffer size calculations.
An attacker can exploit this by delivering a specially crafted HTML page containing JavaScript that triggers the overflow. When the overflow occurs, it may corrupt the heap, potentially allowing the attacker to execute arbitrary code within the browser process. This vulnerability is classified under CWE-190 (Integer Overflow or Wraparound). The Chromium security team assigned it a high severity rating, with a CVSS score of 8.8.
No public code snippets or detailed PoC are available for this issue. The vulnerability was discovered internally by Google's AI-powered Big Sleep system, which highlights the increasing role of automated analysis in vulnerability discovery.
Affected Systems and Versions
- Google Chrome versions prior to 140.0.7339.207 on Linux
- Google Chrome versions prior to 140.0.7339.207/.208 on Windows and Mac
- All configurations using the affected V8 engine versions are vulnerable
Vendor Security History
Google Chrome's V8 engine has been the source of multiple high-severity vulnerabilities in recent years, including CVE-2025-10585 and CVE-2025-10890. Google has demonstrated a rapid response to such issues, often releasing patches within days to weeks of discovery. The company employs advanced vulnerability discovery techniques, including fuzzing and AI-driven systems like Big Sleep, to proactively identify flaws. Chrome's update mechanism is robust and widely regarded as a model for the industry.