CVE-2025-5283: Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…

medium5.4CVSS 3.1

AVNACLPRNUIRSUCLILAN

Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Affected

22 ranges

Vendor	Product	Version range	Fixed in
chromium	chromium	>= 0 < 137.0.7151.55-3~deb12u1	137.0.7151.55-3~deb12u1
chromium	chromium	>= 0 < 137.0.7151.55-1	137.0.7151.55-1
chromium	chromium	>= 0 < 137.0.7151.55-1	137.0.7151.55-1
debian	chromium	< chromium 137.0.7151.55-3~deb12u1 (bookworm)	chromium 137.0.7151.55-3~deb12u1 (bookworm)
debian	firefox	< chromium 137.0.7151.55-3~deb12u1 (bookworm)	chromium 137.0.7151.55-3~deb12u1 (bookworm)
debian	firefox-esr	< chromium 137.0.7151.55-3~deb12u1 (bookworm)	chromium 137.0.7151.55-3~deb12u1 (bookworm)
debian	libvpx	< chromium 137.0.7151.55-3~deb12u1 (bookworm)	chromium 137.0.7151.55-3~deb12u1 (bookworm)
debian	thunderbird	< chromium 137.0.7151.55-3~deb12u1 (bookworm)	chromium 137.0.7151.55-3~deb12u1 (bookworm)
google	chrome	< 137.0.7151.55	137.0.7151.55
google	chrome	>= 137.0.7151.55 < 137.0.7151.55	137.0.7151.55
google	chrome_chrome	—	—
mozilla	firefox	—	—
mozilla	thunderbird	>= 0 < 1:128.11.0esr-1~deb11u1	1:128.11.0esr-1~deb11u1
mozilla	thunderbird	>= 0 < 1:128.11.0esr-1~deb12u1	1:128.11.0esr-1~deb12u1
mozilla	thunderbird	>= 0 < 1:128.11.0esr-1	1:128.11.0esr-1
mozilla	thunderbird	>= 0 < 1:128.11.0esr-1	1:128.11.0esr-1
msrc	microsoft_edge	—	—
paloalto	prisma_browser	—	—
webmproject	libvpx	>= 0 < 1.9.0-1+deb11u4	1.9.0-1+deb11u4
webmproject	libvpx	>= 0 < 1.12.0-1+deb12u4	1.12.0-1+deb12u4
webmproject	libvpx	>= 0 < 1.15.0-2.1	1.15.0-2.1
webmproject	libvpx	>= 0 < 1.15.0-2.1	1.15.0-2.1

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

osv5.4MEDIUM