Google Chrome, Use After Free, CVE-2025-0999 (High)

Listen to this Post

The vulnerability is a use-after-free condition within the Dawn graphics library, the WebGPU implementation in Google Chrome. When a crafted HTML page is loaded, it triggers a sequence of WebGPU API calls that manipulate GPU buffer objects. Specifically, the flaw resides in the buffer mapping logic where a reference to a GPU buffer is retained after the underlying object has been deallocated. An attacker who has already compromised the renderer process (e.g., via another vulnerability) can leverage this dangling pointer. By crafting specific JavaScript and WebGPU commands, the attacker forces the browser to reuse the freed memory region for a new, attacker-controlled object. This results in a type confusion scenario. The remote attacker then gains the ability to write arbitrary data into the freed buffer, leading to out-of-bounds memory access. Successful exploitation bypasses the Chrome sandbox in the renderer process, allowing the attacker to execute arbitrary code within the context of the renderer. The attack chain requires the victim to visit a malicious webpage. The vulnerability was present in all Chrome versions prior to 146.0.7680.178. The Dawn component manages low-level GPU operations, making this a high-severity issue as it directly enables code execution after renderer compromise. The fix involves proper reference counting and object lifecycle management in Dawn’s buffer handling code.
Platform: Google Chrome
Version: 146.0.7680.178
Vulnerability : Use After Free
Severity: High
date: 2025-02-26

Prediction: Patch expected 2025-02-26

What Undercode Say:

Check current Chrome version
google-chrome --version
Verify patch status (Linux)
dpkg -l | grep chrome
Example Node.js script to detect vulnerable WebGPU behavior
const gpu = navigator.gpu;
const adapter = await gpu.requestAdapter();
const device = await adapter.requestDevice();
const buffer = device.createBuffer({ size: 1024, usage: GPUBufferUsage.MAP_WRITE });
await buffer.mapAsync(GPUMapMode.WRITE);
buffer.destroy(); // Trigger free
// Use after free simulation
const newBuffer = device.createBuffer({ size: 1024, usage: GPUBufferUsage.MAP_WRITE });
// Dangling pointer reference could lead to corruption

Exploit:

Attacker, having compromised renderer, sends crafted WebGPU commands to create and destroy GPU buffers while retaining a reference. The freed memory is then repurposed with attacker-controlled data, enabling arbitrary code execution via a fake vtable or function pointer overwrite within the renderer process.

Protection from this CVE

Update Chrome to version 146.0.7680.178 or later. Enable Site Isolation and strict sandboxing. Use application-level firewall to restrict outbound connections from renderer processes. Deploy endpoint detection rules for abnormal WebGPU API call sequences.

Impact:

Remote code execution within the renderer process. Combined with a renderer compromise, this allows full control over the affected tab, data theft, and potential sandbox escape if chained with a separate vulnerability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top