Google released an urgent security update for its Chrome browser to patch **CVE-2025-12036**, a high-severity vulnerability in the **V8 JavaScript engine** that could allow **remote code execution (RCE)** on affected systems. The flaw, classified as an *‘inappropriate implementation in V8’*, was discovered by Google’s **AI-powered Big Sleep project** on October 15, 2025. V8 is a critical component handling JavaScript execution in Chrome and Chromium-based browsers, making it a prime target for exploitation.Successful exploitation could enable attackers to **compromise user systems, steal sensitive data, or deploy malicious payloads** (e.g., malware, ransomware, or spyware). While no active exploits were reported at disclosure, the high-severity rating underscores the potential for **widespread abuse** if left unpatched. Google deployed the fix within **six days** via Chrome versions **141.0.7390.122/123** (Windows/Mac/Linux), urging users to update immediately. The vulnerability’s technical details remain restricted to prevent reverse-engineering by threat actors until most users apply the patch.The incident highlights the risks of **supply-chain vulnerabilities** in widely used software, where a single flaw in a core component (like V8) can expose **millions of users** to attacks ranging from data theft to system takeover. Google’s proactive use of **AI-driven security tools** (e.g., AddressSanitizer, libFuzzer) mitigated the risk, but unpatched systems remain at high risk of exploitation.
Source: https://cyberpress.org/chrome-v8-javascript-engine-vulnerability/
TPRM report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "goo1232812102225",
"linkid": "googlecloudsecurity",
"type": "Vulnerability",
"date": "10/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'All users running Chrome '
'versions prior to '
'141.0.7390.122/.123 '
'(Windows/Mac/Linux)',
'industry': 'Technology (Browser Software)',
'location': 'Global',
'name': 'Google Chrome Users',
'type': 'Software Users'}],
'attack_vector': 'Network-based (via malicious JavaScript execution in '
'Chrome)',
'customer_advisories': 'Users were instructed to verify their Chrome version '
'and install updates to mitigate the RCE risk.',
'date_detected': '2025-10-15',
'date_publicly_disclosed': '2025-10-21',
'date_resolved': '2025-10-21',
'description': 'Google has released an urgent security update for its Chrome '
'browser to address a high-severity vulnerability '
'(CVE-2025-12036) in the V8 JavaScript engine that could allow '
'attackers to execute remote code on affected systems. The '
"flaw, classified as an 'inappropriate implementation in V8,' "
'was discovered by Google’s AI-powered Big Sleep project. The '
'vulnerability affects Chrome versions prior to '
'141.0.7390.122/.123 (Windows/Mac) and 141.0.7390.122 (Linux). '
'Google patched the issue within six days of discovery, '
'emphasizing the urgency due to potential severe consequences '
'like system compromise, data theft, or malicious payload '
'delivery.',
'impact': {'brand_reputation_impact': 'Minimal (proactive patching mitigated '
'risk)',
'identity_theft_risk': 'High (if exploited, could lead to '
'sensitive data theft)',
'operational_impact': 'Potential for remote code execution, system '
'compromise, or malicious payload delivery '
'if exploited',
'payment_information_risk': 'High (if exploited, could expose '
'payment data processed via browser)',
'systems_affected': ['Chrome browsers (Windows, Mac, Linux) '
'running versions prior to '
'141.0.7390.122/.123']},
'investigation_status': 'Resolved (Patch released; no known exploits in the '
'wild)',
'lessons_learned': 'Proactive AI-powered vulnerability discovery (e.g., '
"Google's Big Sleep project) and rapid patch deployment "
'are critical to mitigating high-severity flaws in widely '
'used software like Chrome. Automated security tools '
'(e.g., AddressSanitizer, libFuzzer) play a key role in '
'identifying vulnerabilities before exploitation.',
'post_incident_analysis': {'corrective_actions': ['Released patch for Chrome '
'141.0.7390.122/.123 to fix '
'the V8 vulnerability.',
'Leveraged automated tools '
'(AddressSanitizer, '
'libFuzzer) to prevent '
'similar flaws.',
'Delayed public disclosure '
'of vulnerability details '
'to allow user patching.'],
'root_causes': 'Inappropriate implementation in '
'the V8 JavaScript engine, '
'discovered via AI-powered security '
'research (Big Sleep project).'},
'recommendations': ['Users should enable automatic updates for Chrome to '
'ensure timely patching.',
'Organizations should enforce browser update policies and '
'verify patch deployment across endpoints.',
'Developers should prioritize security testing for core '
'components like JavaScript engines using tools like '
'AddressSanitizer and fuzz testing.',
'Google should continue restricting vulnerability details '
'until widespread patching is confirmed to prevent '
'exploit development.'],
'references': [{'date_accessed': '2025-10-21',
'source': 'Google Chrome Releases Blog'},
{'source': 'CVE Details for CVE-2025-12036'}],
'response': {'communication_strategy': ['Public security advisory',
'Restricted vulnerability details '
'until majority of users patched'],
'containment_measures': ['Urgent patch release (Chrome '
'141.0.7390.122/.123)',
'Automatic update rollout to users'],
'incident_response_plan_activated': True,
'remediation_measures': ["Patch deployment via Chrome's "
'auto-update mechanism',
'User advisories to manually '
'check/update browser versions']},
'stakeholder_advisories': 'Google advised users to update Chrome immediately '
"via the 'About Chrome' settings menu.",
'title': 'Google Chrome V8 JavaScript Engine Remote Code Execution '
'Vulnerability (CVE-2025-12036)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': 'CVE-2025-12036 (Inappropriate implementation in '
'V8 JavaScript engine)'}