Two Critical Chrome Vulnerabilities (CVE-2025-3619 & CVE-2025-3620)
On April 15, 2025, Google released a critical security update for the Chrome browser, addressing two high-severity vulnerabilities tracked as CVE-2025-3619 and CVE-2025-3620. These flaws affect Chrome across all major platforms—Windows, macOS, and Linux—and have the potential to allow remote attackers to execute arbitrary code or take control of affected systems.
CVE-2025-3619 is classified as a heap buffer overflow in Chrome’s Codecs component, while CVE-2025-3620 is a use-after-free vulnerability in the USB subsystem. Both were responsibly disclosed by security researchers and have been patched in Chrome version 135.0.7049.95/.96.
Given their nature and scope, these vulnerabilities pose significant risks to both individual users and enterprise environments.How the Vulnerabilities Work
CVE-2025-3619: Heap Buffer Overflow in Codecs
This vulnerability stems from improper memory management when processing multimedia content through Chrome’s internal codec libraries. In particular, a carefully crafted audio or video stream can trigger a heap buffer overflow condition. Once this occurs, an attacker can overwrite portions of memory adjacent to the buffer.
This memory corruption allows for the execution of arbitrary code within the context of the browser. If leveraged in combination with a sandbox escape or privilege escalation technique, this vulnerability could lead to full system compromise. The most concerning aspect is that the attack vector is remote—simply visiting a malicious website could be enough to trigger the exploit.
This issue arises in Chrome’s implementation of the WebUSB API, which enables websites to interact with USB devices. The vulnerability is due to improper handling of object lifetimes. Specifically, if an object tied to a USB interaction is deleted but still referenced elsewhere in the code, a use-after-free condition occurs.
This leads to undefined behavior, which can be exploited to execute attacker-controlled code. Like the buffer overflow vulnerability, this flaw can be exploited remotely and is especially dangerous in the hands of a skilled attacker who can manipulate the browser’s memory layout through JavaScript.
Recommendations
◾ All users and administrators should update Chrome immediately to mitigate these vulnerabilities. Chrome version 135.0.7049.95 is available for Linux, and version 135.0.7049.95/.96 for Windows and macOS. ◾ Enterprise environments should prioritize patching endpoints through their central management platforms. It is also advisable to audit existing Chrome versions across assets and enforce policies to prevent the use of outdated browsers. ◾ In high-assurance environments, additional mitigations may include disabling or restricting access to browser APIs such as WebUSB, especially if the feature is not in active use. ◾ Monitoring browser telemetry, endpoint behavior, and DNS/network traffic for anomalies is also recommended in case the vulnerabilities were exploited before patching.
Conclusion
◾ Browser-based vulnerabilities continue to be a lucrative attack vector for threat actors. CVE-2025-3619 and CVE-2025-3620 exemplify how seemingly small memory safety issues can have outsized impact—particularly when tied to widely used platforms like Chrome. ◾ Timely patching, strict browser policy enforcement, and layered security controls remain the most effective countermeasures. Security teams should treat these vulnerabilities with urgency and ensure updates are deployed across all endpoints. ◾ For those managing security at scale, now is also a good time to review incident response protocols related to browser exploitation and revisit endpoint detection rules for signs of abnormal Chrome behavior.
Stay updated. Stay secured.