—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Google ChromeOS / ChromeOS Flex 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Google ChromeOS version prior to 16404.45.0 (Browser version 141.0.7390.115)

Overview

Multiple vulnerabilities have been reported in Google ChromeOS, which could allow a remote attacker to execute arbitrary code, bypass security restrictions, cause denial-of-service (DoS) or disclose sensitive information on the targeted system.

Target Audience:

All organizations and individuals using Google ChromeOS or ChromeOS Flex.

Risk Assessment:

High risk of data breach, service disruption, system instability.

Impact Assessment:

Potential for remote code execution, sensitive data theft, or complete system compromise.

Description

ChromeOS is a lightweight OS by Google, optimized for fast web browsing, cloud computing, and seamless Google service integration on Chromebooks. ChromeOS Flex is a variant that brings this experience to older PCs and Macs, offering a cloudcentric, lightweight alternative for unsupported devices.

Multiple vulnerabilities exist in Google ChromeOS due to Heap buffer overflow in Video, WebGPU, Sync; Side-channel information leakage in Tab, Storage; Use after free in V8,Storage, Safe Browsing; Off by one error in V8 and Inappropriate implementation in Media. A remote attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted web page.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, bypass security restrictions, cause denial-of-service (DoS) or disclose sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor

https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-chromeos_15.html

Vendor Information

Google Chrome

https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-chromeos_15.html

References

Google Chrome

https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-chromeos_15.html

CVE Name

CVE-2025-11205

CVE-2025-11206

CVE-2025-11207

CVE-2025-11208

CVE-2025-11210

CVE-2025-11215

CVE-2025-11219

CVE-2025-11458

CVE-2025-11460

CVE-2025-11756

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmj3iSgACgkQ3jCgcSdc

ys+Www/+N3yrhum0PsOY6+3b8TjzxmzOnOV9FBrWft0R9K0WZsId9kqJlv3dYWKp

UaPW1kz4hxEI4kKQA2g2F5OB3vuYhB32gxmDGB64ZOjUOij2OybEY9jrKKxh7XJQ

s0pUnwEbsjAJYU5+r4t+KeBvONVq57eAOT6AE8C3V0PiGfuTt8iKuZSxzEGerM7K

Lw7V4Lec7VQ0QXgIl+ijhxtrcBydHMc8VmRc8Og4Nf8VrxmZOtpmqgaZepU5Ij0g

ej2MU5rQku/Nkwdp+blRXzuWn53T2z6YmVTEuV7MFt1UmnE83ig/gfByH/mF9/KZ

U2ZTnQyT8FHHdoZn1TyXlCKHwz1kHGs5E1ErgXePEQHsHtxjHkHWrs8hoP7cEnMz

xV4wG7GYeVYVhxKRV+aA463JKGZfRMl9wawJW8mUIaHnycHUz9Q8+auFmjbGj4FY

JKcBfZCtAN9jyi2pWzwNbYguvI4dzz0P9w+BFi8dkD7aa5X6ZIVvNpljnWYs3Xkj

CUxH5sFt9avB1M8qTe2rn+V8lAUVL3cStVtqb13EzhZGb57Ako0La3rf3BuSeZRo

TL6kWoYuKzQLh+Tq1Cup78R4qhMlVKfJVdCkdzM43QUh9Xo2CkDbP1LHJbdtlkpH

WhqTW8xYztXJ+RvexNiQbOejxrAtB24F6ThTzDbuim9eCIwfZsU=

=mz3/

—–END PGP SIGNATURE—–