CVE-2025-3067: 
vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-3067 was discovered in Google Chrome's Custom Tabs implementation on Android devices. The vulnerability affects versions prior to 135.0.7049.52 and was initially reported by Philipp Beer from TU Wien on October 31, 2024. The issue was publicly disclosed on April 1, 2025, and received a Medium severity rating from the Chromium team (Chrome Release).

The vulnerability has been assigned a CVSS 4.0 base score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Additionally, CISA-ADP assessed the vulnerability with a CVSS 3.1 base score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Rapid7).

The vulnerability allows a remote attacker to perform privilege escalation through a crafted app when they successfully convince a user to engage in specific UI gestures. This could potentially lead to complete compromise of the affected system's confidentiality, integrity, and availability (NVD).

Users are advised to update their Google Chrome for Android to version 135.0.7049.52 or later. Google has addressed this vulnerability and released a patch as part of their stable channel update (Chrome Release).

The vulnerability was deemed significant enough to warrant a $10,000 bug bounty reward from Google to the researcher who reported it. This indicates the potential impact and importance of the vulnerability within the security community (Chrome Release).