CVE-2025-8881Incorrect Implementation of Authentication Algorithm in Google Chrome

CWE-303Incorrect Implementation of Authentication AlgorithmCWE-346Origin Validation ErrorCWE-1287Improper Validation of Specified Type of InputCWE-358Improperly Implemented Security Check for Standard12 documents9 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 93.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Google ChromeChromiumLinux Kernel
Timeline
PublishedAug 13
Latest updateJan 13

Description

Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5google/chrome139.0.7258.127139.0.7258.127
NVDgoogle/chrome< 139.0.7258.127
Debianchromium/chromium< 139.0.7258.127-1~deb12u1+2
Linuxlinux/linux_kernel5.11.05.15.198+6

🔴Vulnerability Details

5
OSV
NFSD: NFSv4 file creation neglects setting ACL2026-01-13
OSV
NFSD: Define actions for the new time_deleg FATTR4 attributes2025-12-08
OSV
CVE-2025-8881: Inappropriate implementation in File Picker in Google Chrome prior to 1392025-08-13
GHSA
GHSA-c4fm-x36h-pwf6: Inappropriate implementation in File Picker in Google Chrome prior to 1392025-08-13
CVEList
CVE-2025-8881: Inappropriate implementation in File Picker in Google Chrome prior to 1392025-08-13

📋Vendor Advisories

5
Red Hat
kernel: NFSD: NFSv4 file creation neglects setting ACL2026-01-13
Red Hat
kernel: NFSD: Define actions for the new time_deleg FATTR4 attributes2025-12-08
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-88812025-09-26
Microsoft
Chromium: CVE-2025-8881 Inappropriate implementation in File Picker2025-08-12
Debian
CVE-2025-8881: chromium - Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258...2025
CVE-2025-8881 — Google Chrome vulnerability | cvebase