Chrome 146 Patch: Two Exploited Zero-Days CVE-2025-0672 and CVE-2025-0673

Google has issued an urgent security update for the Chrome browser to address two high-severity vulnerabilities that are being actively exploited in the wild. These Zero-Day flaws, identified as CVE-2025-0672 and CVE-2025-0673, represent a significant risk to the integrity of enterprise endpoints. According to SecurityWeek, these flaws allow threat actors to manipulate data and bypass critical security restrictions, which can eventually lead to RCE.

Technical Analysis of Exploited Flaws

The vulnerabilities identified in this release represent two distinct attack vectors within the browser’s architecture. Both were reported by researchers within Google’s Threat Analysis Group (TAG), a team known for tracking sophisticated APT activity and state-sponsored cyber operations.

CVE-2025-0673 use after free Dawn vulnerability details

The first flaw, CVE-2025-0673, is a Use After Free (UAF) condition residing in Dawn. Dawn is the cross-platform, open-source implementation of the WebGPU standard used within the Chrome engine. A UAF vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed, which can be manipulated by an attacker to execute arbitrary code or cause a system crash. In the context of a browser, this often allows an attacker to escape the renderer sandbox, a critical step in achieving Privilege Escalation on the host operating system. The CVSS score reflects the high severity of memory corruption issues in core browser components.

CVE-2025-0672: Inappropriate Implementation in Extensions

The second vulnerability, CVE-2025-0672, involves an inappropriate implementation within the Chrome Extensions framework. While specific TTP details are often withheld by vendors until a majority of the user base has updated, this type of flaw typically concerns how the browser manages permissions or validates communication between extensions and the browser core. Organizations investigating how to detect CVE-2025-0672 exploit attempts should monitor for unusual browser extension behavior or unauthorized attempts to access sensitive browser data stores.

Threat Context and Impact

The discovery of these flaws by Google TAG suggests that the exploitation may be part of a highly targeted campaign. When zero-days are utilized in the wild, they are frequently used as the initial access vector in a larger attack chain. Once the browser is compromised, attackers may attempt Lateral Movement within the internal network or deploy a C2 beacon to establish long-term persistence.

For a SOC, the primary concern is the speed at which these vulnerabilities can be weaponized. While initial reports indicate targeted usage, once the details of the Chrome 146 zero-day mitigation are analyzed by other threat actors, the risk of broader exploitation increases.

Actionable Recommendations

Security teams should prioritize the following steps to ensure protection against these active threats:

• Emergency Patching: Deploy the Chrome 146 update across all Windows, macOS, and Linux workstations immediately.
• Enforce Restarts: Since browser updates require a process restart to take effect, use management tools to force a restart for users who have not updated within 24 hours.
• Monitoring: Update EDR and SIEM signatures to look for anomalous child processes spawned by browser executables, which is a common IoC for successful browser exploitation.
• Review Extensions: Audit the organization’s allowed extension list to ensure that only verified and necessary extensions are installed, reducing the surface area for CVE exploitation.

By ensuring the rapid adoption of the Chrome 146 update, organizations can effectively close the window of opportunity for attackers seeking to leverage these critical memory and extension-based flaws.