Google has issued a critical security update for its Chrome browser, addressing a significant vulnerability within the WebAudio component that could allow attackers to execute arbitrary code remotely. The update elevates Chrome to version 136.0.7103.92/.93 for Windows and Mac users, and 136.0.7103.92 for Linux users.
Understanding the Vulnerability
The primary concern is a Use-After-Free (UAF) vulnerability identified as CVE-2025-4372 within Chrome’s WebAudio API. This flaw could enable remote attackers to exploit heap corruption by enticing users to visit specially crafted HTML pages. Huang Xilin from Ant Group Light-Year Security Lab discovered and reported this issue on April 20, 2025, earning a $7,000 bounty through Google’s vulnerability rewards program.
Use-After-Free vulnerabilities occur when a program continues to reference memory after it has been freed, leading to potential memory corruption and arbitrary code execution. In this instance, the MediaStreamAudioDestinationNode was not adequately managed, allowing attackers to manipulate freed memory addresses to execute malicious code.
Severity and Impact
While Google has classified this vulnerability as Medium severity, other security organizations, such as Tenable, have rated it as Critical, assigning it a CVSS base score of 9.8. This high rating reflects the vulnerability’s potential for significant exploitation, given that it requires minimal user interaction—merely visiting a malicious webpage—and no elevated user privileges.
Technical Details and Mitigation
The vulnerability stems from improper management of the MediaStreamAudioDestinationNode within the WebAudio API. To address this, Google has updated the component to be an ActiveScriptWrappable, ensuring that audio nodes are not prematurely destroyed while still in use by active scripts. This change effectively mitigates the risk of memory corruption associated with the flaw.
Historical Context
This is not the first time Chrome’s WebAudio component has been targeted. Previous vulnerabilities, such as CVE-2023-6345 and CVE-2024-0224, have been identified in earlier versions, underscoring the ongoing security challenges associated with complex audio processing in web browsers.
Detection and Prevention
Google’s security team employs various tools to detect such vulnerabilities, including AddressSanitizer (ASan), MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL. AddressSanitizer, in particular, is effective at identifying memory errors like Use-After-Free conditions, though it can slow down applications during testing.
User Recommendations
The update is being rolled out automatically to users over the coming days and weeks. However, security experts recommend that users manually update their browsers immediately to ensure protection against potential exploits. To do this, navigate to Chrome’s settings (chrome://settings/help) to check for and install the latest version.
Conclusion
The prompt identification and patching of CVE-2025-4372 highlight the importance of regular software updates and vigilance against emerging security threats. Users are encouraged to keep their browsers up to date and exercise caution when visiting unfamiliar websites to maintain optimal security.
