CVE-2025-12728: 
vulnerability analysis and mitigation

A medium severity vulnerability (CVE-2025-12728) was identified in Google Chrome's Omnibox feature on Android devices prior to version 142.0.7444.137. The vulnerability was discovered by Hafiizh on October 16, 2025, and was publicly disclosed on November 5, 2025 (Chrome Release).

The vulnerability stems from an inappropriate implementation in the Omnibox component of Google Chrome on Android. It is classified under CWE-451 (User Interface Misrepresentation of Critical Information). The vulnerability has received a CVSS 3.1 base score of 4.2 (Medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L (NVD).

The vulnerability allows a remote attacker to perform UI spoofing through a crafted HTML page, but only if they can convince a user to engage in specific UI gestures. This could potentially lead to user interface misrepresentation of critical information (NVD).

Google has addressed this vulnerability in Chrome version 142.0.7444.137 and later. Users are advised to update their Chrome browsers to the latest version. Various Linux distributions have also released fixes, including Debian which has patched the vulnerability in version 142.0.7444.175-1 (Debian Tracker).