Google Chrome recently addressed two medium-severity vulnerabilities, CVE-2025-14372 and CVE-2025-14373, in its Stable channel update to version 143.0.7499.109, released around December 9-10, 2025. These flaws affect browsers prior to this version on Windows, macOS, and Linux, highlighting ongoing risks in widely used components like Password Manager and Toolbar.
Vulnerability Breakdown
CVE-2025-14372 involves a use-after-free error in the Password Manager, where freed memory is accessed post-deallocation, risking heap corruption via malicious HTML pages. Discovered by Weipeng Jiang of VRI on November 14, 2025, it carries a potential CVSS score of 9.8 in some analyses, enabling remote code execution despite Google’s medium rating. CVE-2025-14373 stems from improper implementation in the Toolbar, allowing security UI bypass that could trick users into unsafe actions.
Reported by Khalil Zhani on November 18, 2025, both earned $2000 bounties under Chrome’s VRP, underscoring their exploit potential in real-world attacks. No public exploits exist for these specific CVEs, unlike the accompanying high-severity zero-day (Issue 466192044) under active exploitation.
Potential Impacts
Exploitation of CVE-2025-14372 could lead to arbitrary code execution within the browser sandbox, enabling data theft from Password Manager or sandbox escapes in chained attacks. Enterprises face elevated risks, as unpatched Chrome instances—used by over 3 billion users—amplify exposure to phishing or drive-by downloads.
CVE-2025-14373’s toolbar flaw might facilitate spoofing of security warnings, increasing clickjacking success rates and credential harvest via deceptive interfaces. In vulnerability management workflows like Qualys or Tenable, these join Chrome’s eighth zero-day patches in 2025, demanding immediate scanning and prioritization per CISA KEV standards.
Mitigation Steps
Update Chrome via Help > About Google Chrome to 143.0.7499.109/.110 immediately; enable auto-updates and monitor via enterprise tools.
Scan environments with Qualys QIDs or Tenable plugins for affected versions.
Adopt layered defenses: restrict extensions, enforce sandboxing, and review CISA advisories for threat intel.
