Chromium’s recent CVE-2025-12438 — a use‑after‑free in Ozone — has been recorded in Microsoft’s Security Update Guide because Microsoft Edge (Chromium‑based) consumes Chromium’s open‑source engine; the entry is Microsoft’s way of telling Edge customers whether their installed Edge build is still vulnerable and which downstream Edge build contains the upstream Chromium fix.
Chromium is the open‑source project that underpins Google Chrome and the Chromium engine used by many other browsers, including Microsoft Edge (Chromium‑based). When Google ships a Chromium security fix, every downstream product that uses that codebase must ingest the upstream change and ship its own updated build before that downstream product is no longer exposed to the original Chromium CVE. Microsoft documents that downstream status in its Security Update Guide (SUG) so administrators can see whether Edge has ingested the relevant Chromium fix. CVE‑2025‑12438 is reported as a Use After Free (CWE‑416) in Ozone, a Chromium subsystem that mediates platform‑specific input and windowing surfaces on some platforms. Google included this fix in the Chrome Stable release cycle that promoted Chrome 142.x (desktop builds 142.0.7444.59 / 142.0.7444.60), making those Chrome builds the upstream remediation boundary. Independent trackers and vendor release notes reflect that Chrome 142.0.7444.59/60 contains the fix. Because downstream vendors — Microsoft for Edge, and other Chromium‑based browser vendors — incorporate changes on their own release cadence, the presence of CVE‑2025‑12438 in Microsoft’s Security Update Guide is not an accusation against Microsoft but rather a notification: the CVE exists upstream and SUG will show when Microsoft has shipped an Edge release that ingests the Chromium patch.
Source: MSRC Security Update Guide - Microsoft Security Response Center
Background / Overview
Chromium is the open‑source project that underpins Google Chrome and the Chromium engine used by many other browsers, including Microsoft Edge (Chromium‑based). When Google ships a Chromium security fix, every downstream product that uses that codebase must ingest the upstream change and ship its own updated build before that downstream product is no longer exposed to the original Chromium CVE. Microsoft documents that downstream status in its Security Update Guide (SUG) so administrators can see whether Edge has ingested the relevant Chromium fix. CVE‑2025‑12438 is reported as a Use After Free (CWE‑416) in Ozone, a Chromium subsystem that mediates platform‑specific input and windowing surfaces on some platforms. Google included this fix in the Chrome Stable release cycle that promoted Chrome 142.x (desktop builds 142.0.7444.59 / 142.0.7444.60), making those Chrome builds the upstream remediation boundary. Independent trackers and vendor release notes reflect that Chrome 142.0.7444.59/60 contains the fix. Because downstream vendors — Microsoft for Edge, and other Chromium‑based browser vendors — incorporate changes on their own release cadence, the presence of CVE‑2025‑12438 in Microsoft’s Security Update Guide is not an accusation against Microsoft but rather a notification: the CVE exists upstream and SUG will show when Microsoft has shipped an Edge release that ingests the Chromium patch.What Ozone is, and why a UAF in Ozone matters
Ozone at a glance
- Ozone is a Chromium abstraction layer that handles native windowing and input plumbing for some operating systems and configurations. It is integral to how Chromium talks to the platform’s windowing stack and graphics/input subsystems.
- Because Ozone bridges web content and platform resources, bugs here can be reachable from web content or from platform interactions, depending on the code path.
Why the CVE appears in Microsoft’s Security Update Guide
Microsoft’s Security Update Guide records CVEs that affect Microsoft products and lists the ingestion/mitigation status for those issues. There are three practical reasons the Chromium CVE shows up in SUG:- Edge consumes Chromium OSS. When Chromium is fixed upstream, Edge remains vulnerable until Microsoft ingests, tests, and ships the downstream patch. SUG gives operators a single place to verify Edge’s status for that CVE.
- SUG supports enterprise tracking and compliance. IT teams often need a canonical record indicating whether an enterprise‑managed product is still at risk; SUG serves that role for Microsoft products.
- The SUG entry communicates the remediation boundary for Edge specifically (the exact Edge build that includes the Chromium ingestion). That mapping prevents confusion between an upstream Chrome version number and the downstream Edge version that actually contains the fix.
Which Chrome build fixed CVE‑2025‑12438 (verification)
Google’s official Chrome Releases blog lists the promotion of Chrome 142 to Stable and the desktop builds that include that update; public aggregation and security trackers identify Chrome 142.0.7444.59 (Windows/Linux) and 142.0.7444.60 (macOS) as the builds that contain the October 28, 2025 security fixes, which include CVE‑2025‑12438 (Ozone UAF). Cross‑checks with vendor summaries and independent trackers show the same remediation boundary. This has been verified against Google’s Chrome Releases and independent reporting. Caution: some aggregators list the CVE without a CVSS score or exploit metric yet; treat exploit status as time‑sensitive. At the time of publication, public feeds noted that the Chrome 142 release fixed the Ozone UAF, but some trackers reported "No CVSS yet" or lacked a public proof of exploit. Until vendors or trusted incident responders publish exploitation evidence, the "in the wild" status remains unverified and should be reassessed with threat‑intelligence feeds as events evolve.How to see the version of the browser (step‑by‑step, desktop)
Verifying your installed browser version is the immediate, authoritative way to know whether the fix is present.Microsoft Edge (desktop)
- Open Microsoft Edge.
- Menu → Help and feedback → About Microsoft Edge, or type edge://settings/help into the address bar.
- Edge will display a version string and will automatically check for updates. The About page shows whether the browser is up to date. You can also open edge://version to see the full build string and the underlying Chromium revision.
Google Chrome (desktop)
- Open Google Chrome.
- Menu → Help → About Google Chrome, or type chrome://settings/help in the address bar.
- Chrome shows the full version string and triggers an update check. The chrome://version page yields the exact build and revision for mapping to upstream Chromium fixes.
Mobile versions
Mobile apps (Android/iOS) expose About pages in Settings → About Chrome / About Microsoft Edge. They show app version strings but do not always display the underlying Chromium revision; use vendor release notes for mapping on mobile.How to interpret the version string and map it to the CVE fix
What you see in the About page looks like a dotted version string: for example, Microsoft Edge Version 142.0.7444.60 or Google Chrome Version 142.0.7444.59. Operationally:- If your Chrome build is ≥ 142.0.7444.59/60 (the Chrome Stable release that included the fixes), Chrome is patched for CVE‑2025‑12438 upstream. Verify using chrome://version.
- If your Edge build displays a Chromium backend number or if Microsoft’s release notes / SUG state that a specific Edge build “incorporates the latest security updates of the Chromium project” that include the Chrome 142 changes, then Edge is patched. Microsoft documents this in its Edge security release notes and SUG entries. Administrators should compare their local edge://version output with the Edge release notes entry for the CVE to confirm ingestion.
Quick checks and practical commands for sysadmins
- Manual interactive check (single workstation):
- Open edge://version or chrome://version and copy the full build string.
- Open the Microsoft Security Update Guide entry for CVE‑2025‑12438 and Edge release notes to see which Edge build ingested the Chromium 142 fix. If the local Edge build is the same or newer, the client is patched.
- Enterprise inventory (recommended):
- Query endpoint inventories (Intune, SCCM, Jamf, MDM) for installed Edge and Chrome builds.
- Produce a report of devices with Edge versions older than the Edge build that contains the Chromium 142 ingestion.
- Force or schedule updates, starting with high‑risk and internet‑facing hosts.
- For headless or packaged Chromium (Electron apps, kiosks):
- These can embed a specific Chromium binary and therefore remain vulnerable until the packager rebuilds the app with the patched Chromium. Inventory these separately — they do not auto‑update with the system browser.
Risk assessment and mitigation guidance
Immediate actions (home users)
- Update your browser now via About → restart when prompted. Chrome users who upgrade to Chrome 142.0.7444.59/60 will have the upstream fix. Edge users should update when Microsoft publishes the Edge build that ingests Chromium 142, and SUG or Edge release notes confirm it.
Immediate actions (enterprises)
- Treat this class of memory‑safety bug as high priority. Prioritize pilot and high‑value groups, then accelerate staged rollout.
- If Edge ingestion is delayed in your environment and you cannot switch to Chrome, implement compensating controls:
- Apply web filtering and URL allowlists for privileged endpoints.
- Enforce URL reputation and block known exploit hosting networks.
- Harden browser policies: disable unnecessary WebRTC/WebGPU features if feasible and test for breakage.
Detection & hunting
- Watch for spikes in browser renderer crashes across endpoints; mass crashes can indicate exploitation attempts.
- Monitor EDR/telemetry for unusual child process creation from chrome.exe or msedge.exe or for suspicious heap‑corruption patterns.
- When available, integrate vendor IOCs into detection rules; stay prepared to pivot if a public proof‑of‑concept or exploit appears.
Strengths of the vendor response — and the residual risks
Strengths:- Google issued a Chrome stable update quickly and grouped multiple fixes into a single stable release (Chrome 142), simplifying remediation for many users. Official Chrome Releases posts provide the upstream remediation boundary.
- Microsoft documents downstream ingestion status in the Security Update Guide and in Edge release notes, which helps enterprise teams confirm Edge’s patched state.
- Downstream ingestion lag: Edge and other Chromium derivatives are only secure after the vendor ingests and ships the Chromium fix. This ingestion window is the operational exposure window.
- Embedded Chromium instances: Electron or other embedded binaries are frequently overlooked and require vendor‑specific updates.
- Exploit uncertainty: Absence of a public proof‑of‑concept does not equal absence of exploitation. Treat memory‑corruption CVEs reachable from web content as high priority until remediation is verified.
Cross‑verification and sources used (what was checked)
Key claims in this article were checked against multiple independent sources:- Google Chrome Releases entries for the Chrome 142 promotion and desktop builds, which list the Stable channel updates that include the security fixes. The Chrome Releases blog is the authoritative upstream vendor record.
- Independent aggregators and regional press coverage (for example, a Japanese press roundup) that list the set of CVEs fixed in Chrome 142 and explicitly mention CVE‑2025‑12438 (Ozone UAF) and the patched builds. These corroborate the Chrome Releases entry.
- Microsoft’s guidance and release notes that explain Edge’s release cadence and the practice of incorporating Chromium fixes into Edge builds — and the Security Update Guide that flags downstream CVE ingestion state. These are Microsoft’s official downstream artifacts.
- OSV / Debian vulnerability tracker entries and other vulnerability feeds that list the CVE and note the affected package versions and the remediation commits, offering distribution‑level corroboration for the fix.
- Practical “how to check version” guidance from consumer tech press and vendor help pages for step‑by‑step instructions (Chrome/Edge About pages and internal pages edge://version and chrome://version).
Practical checklist (copy‑paste for IT teams)
- Use management tooling to retrieve chrome://version or edge://version strings across endpoints.
- Compare Chrome builds to the upstream remediation boundary (Chrome ≥ 142.0.7444.59/60).
- Consult Microsoft’s Security Update Guide and Edge release notes to identify the Edge build that ingested Chromium 142; confirm local Edge builds are equal or newer.
- Prioritize patching for internet‑facing and high‑privilege endpoints.
- Inventory embedded Chromium runtimes (Electron apps, kiosks) and contact vendors for patched builds.
- Tune EDR/SIEM for renderer crash spikes and anomalous child process creation from browser processes.
Conclusion
CVE‑2025‑12438 — a use‑after‑free in Ozone — was fixed upstream by Google in the Chrome 142 Stable release (desktop builds 142.0.7444.59/60). Microsoft lists the CVE in its Security Update Guide because Microsoft Edge consumes Chromium OSS; SUG is the authoritative downstream record that tells administrators when Edge has ingested the upstream fix and is no longer vulnerable. To verify protection, check the browser’s About page (edge://settings/help, chrome://settings/help) or the full build string via edge://version or chrome://version, then compare that local build to Microsoft’s SUG / Edge release notes (for Edge) or to Chrome’s Stable build (for Chrome). Treat any web‑reachable memory‑safety bug as high priority: apply vendor updates immediately, inventory embedded engines, and monitor telemetry for anomalous crashes while keeping threat intelligence feeds close at hand to detect any change in exploit status.Source: MSRC Security Update Guide - Microsoft Security Response Center
