CVE-2025-11210: 
vulnerability analysis and mitigation

Side-channel information leakage vulnerability in the Tab functionality of Google Chrome versions prior to 141.0.7390.54 was discovered. The vulnerability, tracked as CVE-2025-11210, was reported by Umar Farooq on August 22, 2025, and allows remote attackers to perform UI spoofing through a crafted HTML page when users engage in specific UI gestures (Chrome Release, Debian Security).

The vulnerability has been assigned a CVSS 3.1 score of 5.4 (Medium), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, User interaction required, Unchanged scope, Low confidentiality impact, Low integrity impact, and No availability impact. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (Ubuntu Security).

The vulnerability could lead to UI spoofing attacks through side-channel information leakage, potentially compromising user interface integrity and confidentiality of tab-related information. The impact is considered Medium severity according to Chromium's security assessment (Debian Security).

Google has addressed this vulnerability in Chrome version 141.0.7390.54. The fix has been distributed to Windows, Mac, and Linux platforms. Debian has also released security updates for affected versions in both bookworm (version 141.0.7390.54-1~deb12u1) and trixie (version 141.0.7390.54-1~deb13u1) distributions (Chrome Release, Debian Advisory).

Google awarded a bug bounty of $3,000 to Umar Farooq for reporting this vulnerability, indicating its moderate severity and impact on the Chrome browser (Chrome Release).