Google has released an urgent security update for its Chrome browser addressing a critical “Use After Free” vulnerability in the browser’s Site Isolation feature.
The high-severity Vulnerability tracked as CVE-2025-3066 could allow attackers to execute arbitrary code on affected systems, potentially taking complete control of victims’ devices when successfully exploited.
Chrome Use After Free Vulnerability
The vulnerability tracked as CVE-2025-3066 stems from a memory management flaw known as a “Use After Free” (UAF) bug in Chrome’s Site Isolation feature.
Site Isolation is a security mechanism introduced to mitigate side-channel attacks like Spectre by ensuring websites are rendered in separate processes.
Use After Free vulnerabilities occur when a program continues to use a memory location after it has been freed, creating a scenario where attackers can manipulate the contents of that freed memory.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
In typical exploitation scenarios, this allows attackers to corrupt memory and potentially execute malicious code.
In the case of CVE-2025-3066, the UAF bug in Site Isolation could allow attackers to escape the sandbox that normally contains web content within its own process.
This potentially enables an attacker to execute code with the privileges of the Chrome browser process.
Security researcher Sven Dysthe (@svn-dys) reported the vulnerability on March 21, 2025. Google awarded the researcher a $4,000 bounty for discovering and reporting this high-impact security issue.
As is standard practice with severe vulnerabilities, Google has restricted access to complete technical details until a majority of users have been updated with the security patch.
The summary of the vulnerability is given below:
| Risk Factors | Details |
| Affected Products | Google Chrome prior to 135.0.7049.84/.85 for Windows and Mac, and prior to 135.0.7049.84 for Linux |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | User must visit a maliciously crafted webpage- No privileges required- Exploitable over a network |
| CVSS 3.1 Score | 8.8 (High Severity) |
Security experts indicate that successful exploitation of this vulnerability would likely begin with a specially crafted webpage containing JavaScript code designed to trigger memory corruption.
When a victim visits such a page, the malicious code could manipulate the freed memory region, leading to arbitrary code execution.
Attackers could leverage this to install malware, steal sensitive information, or establish persistent access to affected systems.
Mitigations
Google has now addressed the vulnerability in Chrome version 135.0.7049.84/.85 for Windows and Mac and 135.0.7049.84 for Linux.
The update is being rolled out gradually over the coming days and weeks. Chrome users can verify their browser version and update their status by navigating to “chrome://settings/help” in the address bar.
Security experts strongly recommend that all Chrome users update their browsers to the latest version immediately. Organizations should prioritize this update, especially for systems that process sensitive information or have elevated privileges.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post Chrome Use After Free Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.
The original article found on Cyber Security News Read More
