CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-4052

CVSS 9.8v3.1pub. 2025-05-05upd. 2025-05-28

Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)

🤖 AI Analysis
How it works

The attacker prepares a specially crafted HTML page that induces the user to perform specific gestures in the browser interface (UI gestures). Faulty implementation in the DevTools module causes this interaction to allow bypassing discretionary access control. The attack therefore requires active user participation and the execution of specific actions in the browser.

Impact

An attacker can bypass access control mechanisms in the browser, which potentially enables unauthorized access to protected resources or functions. The scope of effects depends on the context in which the vulnerability is exploited.

Mitigation & patch

Google Chrome should be updated to version 136.0.7103.59 or later. The update is available through the browser's built-in update mechanism or on the vendor's website according to the references.

Who is affected

Google Chrome in versions earlier than 136.0.7103.59 on desktop platforms.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Chrome

    APP
    Google
    < 136.0.7103.59
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2024-7971CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML

CVE-2024-4947CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)

CVE-2024-4671CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox