CVE-2025-4372: 
vulnerability analysis and mitigation

CVE-2025-4372 is a Use-after-free vulnerability discovered in the WebAudio component of Google Chrome versions prior to 136.0.7103.92. The vulnerability was reported by Huang Xilin of Ant Group Light-Year Security Lab on April 20, 2025, and was assigned a Medium severity rating by the Chrome security team (Chrome Release).

The vulnerability is classified as CWE-416 (Use After Free) and received a CVSS 3.1 Base Score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue allows a remote attacker to potentially exploit heap corruption through a specially crafted HTML page targeting the WebAudio component (NVD).

The vulnerability could lead to heap corruption if successfully exploited, potentially allowing attackers to execute arbitrary code within the context of the browser. Given the CVSS score of 8.8, the impact is considered high, affecting confidentiality, integrity, and availability of the system (CISA-ADP).

Google has released a patch in Chrome version 136.0.7103.92 for Windows, Mac, and Linux platforms. Users are advised to update their Chrome browsers to this version or later to mitigate the vulnerability (Chrome Release).

Google awarded a $7,000 bug bounty for the discovery of this vulnerability, indicating its significance in their security program (Chrome Release).