—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Google ChromeOS / ChromeOS Flex 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Google ChromeOS version prior to 16433.41.0 (Browser version 142.0.7444.147)

Overview

Multiple vulnerabilities have been reported in Google ChromeOS, which could allow a remote attacker to execute arbitrary code, bypass security restrictions, cause denial-of-service (DoS) or disclose sensitive information on the targeted system.

Target Audience:

All organizations and individuals using Google ChromeOS or ChromeOS Flex.

Risk Assessment:

High risk of data breach, service disruption, system instability.

Impact Assessment:

Potential for remote code execution, sensitive data theft, or complete system compromise.

Description

ChromeOS is a lightweight OS by Google, optimized for fast web browsing, cloud computing, and seamless Google service integration on Chromebooks. ChromeOS Flex is a variant that brings this experience to older PCs and Macs, offering a cloudcentric, lightweight alternative for unsupported devices.

Multiple vulnerabilities exist in Google ChromeOS due to Inappropriate implementation in V8, Extensions, Autofill; Out of bounds read in WebXR, V8; Type Confusion in V8, Use after free in PageInfo, Ozone; Object lifecycle issue in Media; Race in V8 and Policy bypass in Extensions. A remote attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted web page.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, bypass security restrictions, cause denial-of-service (DoS) or disclose sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-chromeos.html

Vendor Information

Google Chrome

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-chromeos.html

References

Google Chrome

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-chromeos.html

CVE Name

CVE-2025-12036

CVE-2025-12428

CVE-2025-12429

CVE-2025-12430

CVE-2025-12431

CVE-2025-12432

CVE-2025-12433

CVE-2025-12436

CVE-2025-12437

CVE-2025-12438

CVE-2025-12440

CVE-2025-12441

CVE-2025-12443

CVE-2025-12445

CVE-2025-12727

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkV86UACgkQ3jCgcSdc

ys+iTQ/7BZVVEzmvVWGaIdTOtthWL0tKbboIoYuY3XwvGu2nc5Sl7OtVFur0Nio+

mzafGVCjvU7RldRg3+tOSArfwHLGzeXfJgxPyYTtLm/P7YOUciGOLj28PxS7Mgxx

Wcpa3amy99Lg3u2ngz4VVToVR/ifnVr9yaHg5vXna5QvJ4BNuLMDU8Gw/McM1pN8

0LgFDZiM9xqVIe/4y0J4vr1LSMxE+34rHIWVsi8ZYQB/v7DfwBf/xzCxnTwbtpgg

pbDj459tsIj3Q2wPmkMihohM9SU5CIcHwtLuyuxoah9i7PxM2MIvZFt5xsv8YX6F

TzA9o5XZb6ex9CNylaFs8nGlXLuj2KuLR1J3wjSh5pKu52+qNU1fQ6L+kdf9apDS

0HTc6aK8bZbhpOOGoHd7gYflzdyc0p3SVZET3tRtr37BGMhx6txU35ytQopxFiw2

ThXsB+gjvYLXFmn2z7VCugx8cTlCPW9y8h6u6B0PudhwEEVR1rqwvpdmUvG1n+LL

2CXciGwBfp+oy/B7csKvLrBP3ny3+jnbnn8i8udt/D66M5WtWbrtLIp000SRlCy0

TDt7A95vJuJ7aub88igg5gDwuE/CKYr/w540FDgp8C1DheFJFbY9zVySv1dm+yAq

PmHB5NlhojRoBBjlpRRmIZfEJjNXpHnPLtYNORoRy3I52e4ILrI=

=WKF/

—–END PGP SIGNATURE—–