MultiApp-CVE-2025-14765

Overview 

Google has disclosed a high-severity (CVSS ~8.8) vulnerability (CVE-2025-14765) in the Chromium project, affecting Chrome and Edge web browsers for Android. This is a use-after-free vulnerability in the WebGPU API, which handles graphics processing and machine learning applications. An attacker could exploit this via a specially crafted HTML page to cause heap corruption, potentially leading to unauthorized code execution. This vulnerability is patched in: Google Chrome (Android): 143.0.7499.146 and above, and Microsoft Edge (Android): 143.0.3650.88 and above.

United States government organizations following CISA frameworks should have all vulnerable devices patched by January 15, 2026. While this mandate applies to federal agencies, enterprise organizations are strongly advised to follow the same timeline.

Lookout Analysis

The exploit poses a maximum risk to Confidentiality, Integrity, and Availability. Successful exploitation allows unauthorized access to sensitive data—such as saved passwords and session cookies—while enabling attackers to inject malicious scripts into other websites or trigger persistent application crashes on mobile devices.

The exploitation of CVE-2025-14765 typically follows these five steps:

• Luring: The user visits a malicious website containing specially crafted WebGPU JavaScript.
• Freeing: The script triggers a logic error that "frees" a memory block while the browser still holds a pointer to it.
• Grooming: The attacker "sprays" the memory with malicious data to fill that empty slot with a fake object.
• Redirecting: The browser attempts to use the original pointer, unknowingly executing instructions from the attacker’s fake object.
• Executing: The attacker gains Remote Code Execution (RCE) to steal data or launch further attacks on the device.