CVE-2025-0437: 
vulnerability analysis and mitigation

CVE-2025-0437 is an out-of-bounds read vulnerability discovered in the Metrics component of Google Chrome versions prior to 132.0.6834.83. The vulnerability was reported by Xiantong Hou of Wuheng Lab and Pisanbao on November 12, 2024, and was officially patched in Chrome version 132.0.6834.83, released on January 14, 2025 (Chrome Release).

The vulnerability is classified as a High severity issue that involves an out-of-bounds read in the Metrics component of Chrome. The issue could potentially lead to heap corruption when triggered by a specially crafted HTML page (Debian Tracker). A bounty of $2000 was awarded for the discovery of this vulnerability (Chrome Release).

The vulnerability affects multiple versions of Google Chrome across Windows, Mac, and Linux platforms. According to Palo Alto Networks' assessment, the vulnerability has a CVSS-BT score of 6.1 (MEDIUM) and CVSS-B score of 8.6, with potential high impacts on confidentiality, integrity, and availability (Palo Alto).

The vulnerability has been fixed in Chrome version 132.0.6834.83 and users are advised to update to this version or later. For Debian systems, the fix is available in version 133.0.6943.98-1~deb12u1 for bookworm and 133.0.6943.98-1 for sid and trixie distributions (Debian Tracker). No specific workarounds are available, and updating to the patched version is the recommended solution (Palo Alto).