Severity Level: High
Title:
Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783)
Summary:
Google is in the process of rolling out Chrome v134.0.6998.178 to Windows users to fix CVE-2025-2783, a zero-day vulnerability that allowed attackers to bypass Chrome sandbox protections.
Google explains the source of the flaw thus: “Incorrect handle provided in unspecified circumstances in Mojo on Windows.” (Mojo is Chromium’s inter-process communication framework.)
Researchers Igor Kuznetsov and Boris Larin say that the cause of CVE-2025-2783 was “a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system,” and that it initially left them scratching their heads: “Without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”
The discovered exploit for CVE-2025-2783 has been used in conjuction with another one enabling remote code execution.
The attacks they have flagged involved phishing emails linking to an (at the-time) compromised website. Opening the website in the Chrome browser triggered the exploits, and resulted in sophisticated malware being downloaded and run.
“Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have required waiting for a new wave of attacks and exposing users to the risk of infection. Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain,” Kaspersky researchers stated.
Recommendations:
If you’re a Windows and Chrome user and you have chosen to update your browser manually, now is the time to do it: close all Chrome windows on the desktop, then relaunch Chrome to apply the update.
Users who have opted for automatic updating don’t have to do anything.
CVE-2025-2783 only affects Chrome users on Windows. Mac and Linux users won’t be receiving this update.
References:
click here