CVE-2025-34091

Name of the Vulnerable Software and Affected Versions: Google Chrome (affected versions not specified)

Description: A padding oracle vulnerability exists in Google Chrome's AppBound cookie encryption mechanism. This issue arises due to observable decryption failure behavior in Windows Event Logs when handling malformed ciphertext in SYSTEM-DPAPI-encrypted blobs. A local attacker can repeatedly send malformed ciphertexts to the Chrome elevation service and distinguish between padding and MAC errors, enabling a padding oracle attack. This allows partial decryption of the SYSTEM-DPAPI layer and eventual recovery of the user-DPAPI encrypted cookie key. The vulnerability undermines the core purpose of AppBound Encryption by enabling low-privileged cookie theft through cryptographic misuse and verbose error feedback.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.