IRONSMITHINTEL
HIGHCVSS8.8
|CVE-2025-0611|Auth: none — visiting a crafted web page is sufficient|Reboot: not required|Est. 10 minutes (browser relaunch only)|Manual only

Google Chrome < 132.0.6834.110 — RCE

Two High-severity V8 memory-safety bugs in Chrome — an object-corruption flaw (CVE-2025-0611) and an out-of-bounds memory access (CVE-2025-0612) — both reachable via a crafted HTML page. Update Chrome to 132.0.6834.110/.111.

Published Jan 22, 2025 · Updated May 19, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Either bug lets attacker-controlled JavaScript on a crafted page corrupt V8 heap state and gain a write-what-where primitive inside the renderer. With a separate sandbox escape, this becomes drive-by code execution under the user account running Chrome. Without sandbox escape, the renderer-process foothold still exposes session cookies, saved-form data, and content of any same-origin tabs the renderer is allowed to see — high value on a jump host where the user is logged into management consoles.

How the attack works

Chrome 132.0.6834.110 patches two distinct V8 memory-safety bugs disclosed together. CVE-2025-0611 is an object-corruption / heap-based overflow: attacker-controlled JavaScript drives V8 into a state where it writes past the end of a heap object, corrupting adjacent metadata. CVE-2025-0612 is an out-of-bounds memory access — V8 reads or writes outside the bounds of an allocated buffer. Either yields the same primitive: controlled heap corruption inside the renderer process, the building block for renderer-process code execution.

Am I affected?Quick check

Probably yes if any of these apply:

Any Windows server with Chrome installed
Jump hosts
RDS / Citrix session hosts where users browse
Administrative workstations
Running Chrome < 132.0.6834.110

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Fixed in132.0.6834.110 (Windows) / 132.0.6834.111 (Mac)
Real-world incidentsWhat we've seen

Google shipped 132.0.6834.110/.111 on January 22, 2025. CVE-2025-0612 was credited to Alan Goodman (reported December 20, 2024); CVE-2025-0611 was credited to an external researcher under Google's VRP. Neither was reported as exploited in the wild prior to patch. Microsoft Edge picked up the matching fix in 132.0.2957.127 the next day. The pattern — two V8 memory bugs in a single mid-cycle release — has been recurring in Chrome's 2024–2025 cadence, reflecting the increasing share of V8 fuzzing inside Google and the broader research community.

How to patch

Manual remediation steps

10 minutes (browser relaunch only)

Check current Chrome version

(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon' -ErrorAction SilentlyContinue).version

Update Chrome

$gu = "$env:ProgramFiles\Google\Update\GoogleUpdate.exe"
if (-not (Test-Path $gu)) { $gu = "${env:ProgramFiles(x86)}\Google\Update\GoogleUpdate.exe" }
if (Test-Path $gu) { & $gu /ua /installsource scheduler }

Verify

(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
# Must show 132.0.6834.110 or later.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-0611NVD