CVE-2025-0436: 
vulnerability analysis and mitigation

Integer overflow vulnerability in Skia component of Google Chrome versions prior to 132.0.6834.83 was discovered on December 8, 2024, by Han Zheng from HexHive. The vulnerability allows remote attackers to potentially exploit heap corruption through specially crafted HTML pages (Chrome Release, NVD).

The vulnerability is classified as High severity with a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is associated with CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability could lead to heap corruption, potentially allowing attackers to execute arbitrary code or cause system crashes when users visit maliciously crafted web pages. The high CVSS score indicates significant potential impact on confidentiality, integrity, and availability of the affected systems (NVD, Palo Alto).

Google has released a patch in Chrome version 132.0.6834.83 to address this vulnerability. Users and organizations are strongly advised to update to this version or later. The fix has also been incorporated into various downstream products, including Debian security updates and Palo Alto Networks' Prisma Access Browser version 132.111.3017.2 (Chrome Release, Debian).