CVE-2025-7656 — External Control of Assumed-Immutable Web Parameter in Google Chrome

CWE-472 — External Control of Assumed-Immutable Web Parameter11 documents10 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 76.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Chromium Paloalto Prisma Browser

Timeline

PublishedJul 15

Latest updateOct 21

Description

Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/chrome138.0.7204.157 — 138.0.7204.157

▶NVDgoogle/chrome< 138.0.7204.157

▶Debianchromium/chromium< 138.0.7204.157-1~deb12u1+2

▶Palo Altopaloalto/prisma_browser

🔴Vulnerability Details

CVEList

CVE-2025-7656: Integer overflow in V8 in Google Chrome prior to 138↗2025-07-15

▶

GHSA

GHSA-x429-qrf9-h4p7: Integer overflow in V8 in Google Chrome prior to 138↗2025-07-15

▶

OSV

CVE-2025-7656: Integer overflow in V8 in Google Chrome prior to 138↗2025-07-15

▶

💥Exploits & PoCs

Exploit-DB

jQuery 3.3.1 - Prototype Pollution & XSS Exploit↗2025-04-08

▶

📋Vendor Advisories

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2025-7656↗2025-08-20

▶

Palo Alto

PAN-SA-2025-0014 Chromium: Monthly Vulnerability Update (August 2025)↗2025-08-13

▶

Microsoft

Chromium: CVE-2025-7656 Integer overflow in V8↗2025-07-08

▶

Debian

CVE-2025-7656: chromium - Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote...↗2025

▶

🕵️Threat Intelligence

Bleepingcomputer

Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilities↗2025-10-21

▶

Bleepingcomputer

Google fixes actively exploited sandbox escape zero day in Chrome↗2025-07-16

▶