CVE-2025-11460

Name of the Vulnerable Software and Affected Versions Chromium versions prior to 141.0.7390.65 Microsoft Edge versions prior to 141.0.7390.65

Description A use-after-free issue exists in the Storage component of Google Chrome and Microsoft Edge browsers. Exploitation of this issue could allow a remote attacker to execute arbitrary code or cause a denial of service. The issue is triggered by a crafted video file. A proof-of-concept exploit is publicly available, demonstrating remote code execution in an unsandboxed process through a heap spray and manipulation of Mojo messages. The vulnerability involves an asynchronous destruction of an indexeddb database, leading to a dangling pointer to the database connection object, which can be reused with user-controlled memory corruption.

Recommendations Chromium versions prior to 141.0.7390.65: Upgrade to version 141.0.7390.65 or later. Microsoft Edge versions prior to 141.0.7390.65: Upgrade to version 141.0.7390.65 or later. Chromium versions 141.0.7390.65-1deb12u1 (bookworm) and 141.0.7390.65-1deb13u1 (trixie): No action is required, as these versions are patched. Chromium versions prior to 141.0.7390.76-alt0.p11.1: Upgrade to version 141.0.7390.76-alt0.p11.1 or later.