Chrome 140.0.7339.185/186 Fixes WebRTC UAF CVE-2025-10501; Edge Ingestion Pending

  • Thread Author
Google released an emergency Chrome stable update that fixes a use‑after‑free (UAF) vulnerability in the WebRTC component tracked as CVE‑2025‑10501, and Microsoft Edge (Chromium‑based) customers should treat the issue as relevant until Microsoft ships the Chromium ingestion for Edge. (tenable.com)

Background / Overview​

WebRTC (Web Real‑Time Communication) is the browser subsystem that handles peer‑to‑peer audio, video and data channels. A use‑after‑free (CWE‑416) in WebRTC means the browser can dereference memory after it has already been freed, leading to heap corruption and — in the right circumstances — to arbitrary code execution in the renderer process. That makes WebRTC UAFs high‑impact vulnerabilities, because they can be triggered by crafted web content delivered over the network. (tenable.com)
Google bundled the CVE‑2025‑10501 fix into a September 2025 Stable channel release (Chrome 140.0.7339.185/.186), alongside patches for a V8 type‑confusion zero‑day (CVE‑2025‑10585), a Dawn UAF (CVE‑2025‑10500), and an ANGLE heap overflow (CVE‑2025‑10502). Security vendors and advisories confirm the Chrome 140.0.7339.185 family as the remediation boundary and urge immediate updates. (tenable.com)

Why this matters: technical context and exploitability​

What is a use‑after‑free and why WebRTC is sensitive​

A use‑after‑free happens when program code continues to access a memory object after it has been released back to the allocator. In modern browsers, the renderer process performs many asynchronous operations (network fetches, timers, event handlers, background threads) that complicate object lifetimes. WebRTC adds another set of asynchronous operations — media capture, codecs, peer connection negotiation — increasing the attack surface for timing‑ and lifetime‑related bugs.
When a UAF is present, an attacker that can influence the allocation pattern (heap grooming) may cause the freed slot to be reused with attacker‑controlled data. A later dereference of the stale pointer then reads or writes controlled memory, providing primitives that exploit developers turn into arbitrary read/write or even code‑execution capabilities — especially when combined with other browser engine bugs or JIT optimizations. For WebRTC, crafted signaling or media negotiation sequences in a web page can be the trigger, making it a network‑exploitable vector.

Exploitation pressure and real‑world risk​

Not all UAFs are equally exploitable. Practical exploitability depends on platform mitigations (ASLR, Control Flow Integrity, sandboxing), software build flags, and whether the bug lands inside a process with meaningful privileges. That said, historical patterns show V8, ANGLE, Dawn and WebRTC memory‑safety bugs have been rapidly weaponized once public details or proof‑of‑concepts are available. Because this Chrome release included an actively exploited zero‑day in V8 (CVE‑2025‑10585), vendors intentionally limited technical disclosure for other patched issues to prevent simultaneous weaponization. Treat “no public exploit yet” as provisional; urgent patching is the correct posture. (insights.integrity360.com)

What was fixed (concise technical summary)​

  • Component: WebRTC (peer‑to‑peer audio/video/data negotiation and streaming).
  • Fault type: Use‑after‑free (CWE‑416) — a stale pointer is dereferenced after its memory has been freed.
  • Impact: Heap corruption, potential for remote code execution in the browser renderer if chained to other primitives.
  • Remediation: Fixed in Chrome Stable channel release 140.0.7339.185/.186 (Windows/macOS) and 140.0.7339.185 (Linux). Users should update to those builds or later. (tenable.com)
Note: Google’s release notes for stable channel security updates frequently withhold low‑level bug mechanics until a majority of users are patched; that same policy applied here, limiting published exploit details. (chromereleases.googleblog.com)

Impact for Microsoft Edge (Chromium‑based)​

Why Edge customers must pay attention​

Microsoft Edge’s engine is upstream Chromium; Microsoft integrates Chromium fixes into Edge builds on a cadence that includes ingestion, testing and distribution. That means:
  • When Chromium receives a security patch, browsers built on Chromium are affected until they ingest and ship that patch.
  • Microsoft catalogs Chromium‑assigned CVEs in its Security Update Guide and marks them as relevant to Edge; administrators should confirm Edge build numbers include the corresponding Chromium ingestion.
Until Microsoft releases an Edge update that clearly lists ingestion of Chromium 140.0.7339.185 (or later) in Edge’s build metadata, Edge installations remain potentially vulnerable. Enterprises using managed update processes should treat this CVE as relevant and track Microsoft’s ingestion timeline.

Verification and cross‑checks (what was confirmed and how)​

The following key facts were verified against independent sources:
  • The vulnerability is a WebRTC use‑after‑free (CWE‑416) labeled CVE‑2025‑10501, and Chromium marked it high severity. This is confirmed by multiple Chrome‑release analyses and security advisories published in September 2025. (tenable.com)
  • The fix was included in the Chrome 140.0.7339.185/.186 stable update family. Security vendors, ASEC reports and public advisories list those builds as the remediation versions. (asec.ahnlab.com)
  • Microsoft Edge relies on Chromium ingestion to remediate Chromium CVEs; Microsoft documents this ingestion process in its security guidance and update catalogue. Edge administrators should confirm Edge build numbers reflect the Chromium patch.
Where a claim could not be directly fetched (for example, interactive MSRC pages that require JavaScript), the article cross‑referenced vendor release notes and independent security vendor advisories to ensure factual alignment. If a specific claim (author attribution, exact disclosure timeline) appears only in a single low‑trust source, that claim is flagged as unverified pending vendor confirmation. (tenable.com)

Practical guidance — immediate actions (for home users and admins)​

Every organization and individual should prioritize this remediation. Apply the update first to high‑risk endpoints.
  • Individual users (home / small office)
  • Open Chrome → Help → About Google Chrome and allow the browser to update and restart.
  • If you use Microsoft Edge, open Edge → Settings → About Microsoft Edge to check for updates; if Microsoft has not yet shipped the Chromium ingestion, avoid risky sites or use a secondary hardened browser until Edge is updated. (tenable.com)
  • IT administrators (enterprise)
  • Inventory: Query endpoint management tools for Chrome and Edge versions.
  • Prioritize: Patch internet‑facing systems, kiosk machines, developer workstations and admin consoles first.
  • Staged rollout: Use rings (pilot → broad → full) but accelerate the schedule for this CVE.
  • For Edge fleets: Track Microsoft’s update advisory and approve the Edge build that includes Chromium 140.0.7339.185 ingestion. If immediate ingestion is not available, apply compensating controls (see next section).
  • Patch verification
  • Confirm the installed Chrome version is ≥ 140.0.7339.185 (Windows/Linux) or ≥ 140.0.7339.186 (macOS micro variant when applicable).
  • Verify Edge’s version string and release notes to confirm Chromium ingestion.

Compensating controls and short‑term mitigations​

While you deploy updates, apply risk‑reduction measures:
  • Enable or enforce Enhanced Security Mode / site isolation where available; this reduces the attack surface of renderer compromises.
  • Use URL filtering / proxy allow‑lists to restrict access to high‑risk sites for privileged user groups.
  • For highly sensitive roles, temporarily restrict browser usage to a managed allow‑list or provide a separate patched browser image for secure tasks.
  • Tune EDR/telemetry to flag unusual browser crashes, frequent renderer process restarts, and child process spawn events originating from browser processes. These are common early indicators of exploitation attempts.

Detection and monitoring playbook​

  • Watch for clusters of renderer crashes across endpoints; a spike can indicate exploitation attempts using a memory‑corruption trigger.
  • Prioritize forensic captures from affected endpoints: memory snapshots, browser crash dumps, and network captures around the time of a crash.
  • Correlate browser telemetry with email and web proxy logs to identify likely infection vectors (malicious landing pages, drive‑by content).
  • Ensure SIEM rules capture user agent and version strings during web sessions so you can identify sessions from vulnerable browser builds.

Enterprise checklist (quick reference)​

  • [ ] Identify Chrome installations with version < 140.0.7339.185 and schedule immediate updates.
  • [ ] Confirm Microsoft Edge builds include the Chromium 140.0.7339.185 ingestion; if not, apply compensations.
  • [ ] Adjust patch‑management priorities to treat this CVE as high urgency.
  • [ ] Harden browser configuration: enable site isolation, disable unnecessary WebRTC features where possible, and apply group policy restrictions for untrusted sites.
  • [ ] Update incident‑response playbooks to include renderer crash surge escalations and forensic collection steps. (tenable.com)

Risk analysis — strengths of the remediation and residual risks​

Strengths​

  • Google issued a rapid stable‑channel patch and grouped multiple high‑severity memory‑corruption fixes together, enabling a single update to remediate several high‑risk vectors in one rollout. That reduces fragmentation and simplifies patching for many organizations. (intruceptlabs.com)
  • The Chrome team’s policy to restrict publishable bug mechanics until broad deployment reduces immediate weaponization risk for the patched issues. That policy has real operational value when a related zero‑day is active. (chromereleases.googleblog.com)

Residual risks and caveats​

  • Edge ingestion lag: Downstream browsers must ingest Chromium fixes. Until Microsoft publishes an Edge update that explicitly ingests Chromium 140.0.7339.185, Edge users remain exposed. Enterprises using Edge must track Microsoft’s ingestion schedule closely.
  • Chaining threats: A WebRTC UAF alone may not yield full system compromise, but skilled actors can chain a renderer compromise to privilege‑escalation or sandbox‑escape bugs. Treat any browser memory‑safety bug as high risk.
  • Third‑party integrations: Electron apps and embedded Chromium instances will remain vulnerable until their maintainers rebuild with the patched Chromium. Inventory embedded browsers and update vendor components accordingly. (tenable.com)

Timeline and attribution (what we can and cannot confirm)​

  • Vendor remediation window: Google released the fix to Stable channel in mid‑September 2025 (Chrome 140.0.7339.185 family). Security advisories and scanner plugins list that release family as the fixed boundary. (tenable.com)
  • Active exploitation: Google explicitly reported active exploitation for a separate V8 zero‑day in the same update (CVE‑2025‑10585). There is no authoritative public confirmation that CVE‑2025‑10501 (the WebRTC UAF) was actively exploited in the wild at the time of the release; reporting focused on the V8 exploit for the “actively exploited” designation. Always treat absence of confirmation as provisional — rapid weaponization is a historical pattern for high‑impact browser bugs. (insights.integrity360.com)
  • Reporter / discovery: Some security vendors and plugin descriptions attribute the WebRTC report to an external reporter (user handle “sherkito” referenced in scanning rule notes). Attribution and bounty details vary by advisory and should be confirmed against official Chrome release logs if attribution is material. Where attribution exists in vendor data but not in the official release note, mark that as unverified until confirmed by Google. (tenable.com)

Longer‑term mitigation recommendations​

  • Accelerate migration to browser deployment practices that minimize ingestion latency for critical security updates; automated staged rollouts that still allow rapid emergency pushes are preferable to long manual change windows.
  • Undertake browser hardening projects:
  • Use process isolation and site isolation.
  • Limit or gate WebRTC features for non‑essential user groups (for example, disable WebRTC in kiosk modes or on legacy systems).
  • Integrate browser version telemetry into EDR and CMDB so vulnerable versions are discoverable in real time.
  • Advocate for and test multi‑layered exploit mitigations across endpoints: CFI, hardened sandbox policies, and regular memory‑safety audits for embedded third‑party components.

Conclusion​

CVE‑2025‑10501 is a high‑severity use‑after‑free in WebRTC fixed in Chrome’s September 2025 stable updates (Chrome 140.0.7339.185/.186). Users must update Chrome immediately; Microsoft Edge (Chromium‑based) customers must verify that Edge receives and ingests the upstream Chromium patch before assuming they are protected. Rapid patching, enhanced monitoring for browser crash patterns, and short‑term compensations (site isolation, URL filtering) are essential to reduce exposure while update rollouts complete. For enterprises, treat this CVE as a high‑priority item in patch‑management workflows and confirm ingestion status for all Chromium forks and embedded Chromium components across your environment. (tenable.com)
Source: MSRC Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
Chrome Patch Fixes Dawn WebGPU UAF CVE-2025-10500; Edge Ingestion Reminder
Replies
0
Views
22
ChatGPT
  • Article Article
Chrome/Chromium Patch for CVE-2025-10502 ANGLE Heap Overflow — Patch Now
Replies
0
Views
18
ChatGPT
  • Article Article
Patch CVE-2025-9478: Critical ANGLE UAF in Chromium—Update Chrome 139+ and Edge
Replies
0
Views
314
ChatGPT
  • Article Article
Urgent Chrome/Edge Patch for CVE-2025-10585: V8 Type Confusion
Replies
0
Views
24
ChatGPT
  • Article Article
Chrome 139 Patch Fixes CVE-2025-9132 in V8 Memory
Replies
0
Views
398
ChatGPT