IRONSMITHINTEL
HIGHCVSS8.8
|CVE-2025-0291|Auth: none — visiting a crafted web page is sufficient|Reboot: not required|Est. 10 minutes (browser relaunch only — no reboot)|Manual only

Google Chrome < 131.0.6778.264 — RCE

A type confusion flaw in Chrome's V8 JavaScript engine allows a remote attacker to execute code inside the renderer sandbox via a crafted HTML page. Update Chrome to 131.0.6778.264 (or move to the 132 stable channel released the following week, which supersedes this fix).

Published Jan 7, 2025 · Updated May 19, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker can host or compromise a page that loads JavaScript designed to trigger the type confusion. Any Chrome user visiting that page on a vulnerable build is exposed — no clicks, prompts, or downloads required beyond page navigation. Without a sandbox-escape companion the impact is limited to the renderer process; with one, the attacker achieves code execution under the account running Chrome.

How the attack works

V8 is Chrome's JavaScript and WebAssembly engine; every page Chrome loads exercises it. A type-confusion bug in V8 lets attacker-controlled JavaScript trick V8 into treating one object as a different type, corrupting memory adjacent to that object inside the renderer process. The result is arbitrary code execution constrained to Chrome's renderer sandbox — useful as the first link in a longer exploit chain that pairs it with a separate sandbox escape, but already enough to read browser secrets accessible to the renderer (session cookies, in-memory credentials, content from other tabs in the same site-isolation group).

Am I affected?Quick check

Probably yes if any of these apply:

Any Windows server with Chrome installed
Jump hosts
RDS / Citrix session hosts where users browse
Administrative workstations
Running Chrome < 131.0.6778.264

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Fixed in131.0.6778.264 (or any 132.0.6834.83+)
Real-world incidentsWhat we've seen

Chrome's 131.0.6778.264 emergency early-stable update on January 7, 2025 shipped this fix on its own ahead of the broader 132.x promotion the following week. Microsoft Edge's extended-stable 131.0.2903.147 picked up the same Chromium patch a day later. The bug was reported by an external researcher via Google's VRP and was not seen exploited in the wild before the patch — but the V8 type-confusion class is exactly the primitive that has been chained into multiple in-the-wild Chrome zero-days in prior years, so operators treat these as same-day patches on jump hosts and RDS / Citrix servers where Chrome is interactive.

How to patch

Manual remediation steps

10 minutes (browser relaunch only — no reboot)

Check current Chrome version

# 64-bit install path:
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon' -ErrorAction SilentlyContinue).version
# 32-bit install path on 64-bit Windows:
(Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon' -ErrorAction SilentlyContinue).version

Update Chrome

# Force the Google Update task to check for and apply updates immediately:
$gu = "$env:ProgramFiles\Google\Update\GoogleUpdate.exe"
if (-not (Test-Path $gu)) { $gu = "${env:ProgramFiles(x86)}\Google\Update\GoogleUpdate.exe" }
if (Test-Path $gu) { & $gu /ua /installsource scheduler }

Enterprise deployment

    1
    Chrome Enterprise MSI: https://chromeenterprise.google/browser/download/
    1
    Deploy via SCCM, Intune Win32 app, or GPO. Set Google Update policy to "Always allow updates" so endpoints pick up future fixes without manual pushes.

Verify

(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
# Must show 131.0.6778.264 or any later (e.g. 132.0.6834.x) build.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-0291NVD