MultiApp-CVE-2025-10500-10585

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

Enable the Application Vulnerability policy, which detects when a vulnerable app version is installed on the device.
Lookout will publish coverage on October 2, 2025 after which alerts will be generated based on the admin's risk, response, and escalation setup. Coverage will be added as MultiApp-CVE-2025-10500-10585.
Any device with vulnerable versions of Chrome (below 140.0.7339.185) or Edge (below 140.0.3485.81) will receive an alert if detected after that date.
Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities.

Overview

Google has recently disclosed several critical vulnerabilities in its Chrome web browser on Android devices. These four vulnerabilities are critical flaws in Google Chrome that can be exploited via specially crafted web content. If successfully exploited, they can lead to memory corruption, crashes, denial of service, or even remote code execution:

CVE-2025-10500 is a use-after-free vulnerability in Dawn, Chrome's graphics abstraction layer, which is part of the WebGPU implementation.
CVE-2025-10501 is a use-after-free vulnerability in WebRTC, Google Chrome's component for real-time communication.
CVE-2025-10502 is a Heap buffer overflow that affects Chrome's graphics layer.
CVE-2025-10585 is a zero-day type confusion issue in the V8 JavaScript engine. This is considered the most critical of the recent vulnerabilities as it is being actively exploited in the wild.

All four Google Chrome on Android vulnerabilities are patched in versions 140.0.7339.185 and above. Microsoft Edge is patched in versions 140.0.3485.81 and above.

United States government organizations are required to have all vulnerable devices patched by October 14, 2025. While CISA’s requirement is only for US government organizations, their guidance should be a source of information for enterprise organizations, as well.

Lookout Analysis

Vulnerabilities like these can have an outsized impact on mobile fleets, especially when they exist in everyday apps such as mobile browsers. In addition to gaining remote access to vulnerable devices, successful exploits in browsers also frequently grant the attacker access to the same permissions as the browsers.

‍

Each of the disclosed vulnerabilities can be exploited via a maliciously crafted webpage, which means that attackers can deliver them as URLs in the same way they would deliver phishing attacks on mobile devices. This means they would likely socially engineer an individual through SMS, iMessage, WhatsApp, Telegram, Instagram, LinkedIn, or any of the countless messaging and social media apps on mobile devices. A successful attack could lead to continued data leakage and risk for enterprise organizations.

‍