MultiCVE-2025-0434-0438
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:
- Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Lookout will publish the coverage on January 30th 2025 after which alerts will be generated based on the admin's risk, response and escalation setup. All of the mentioned CVEs will be detected by the same coverage, listed below.
- MultiApp-MultiCVE-2025-0434-0438 - any device with vulnerable versions of Chrome (below the reported fixed version of 132.0.6834.79) or Microsoft Edge (132.0.2957.118) will receive an alert if detected after that date.
- Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device.
Overview
Google has recently disclosed critical vulnerabilities in their Chrome web browser. The Chrome vulnerabilities are tracked as CVE-2025-0434, CVE-2025-0435, CVE-2025-0436, CVE-2025-0437, and CVE-2025-0438.
CVE-2025-0434 through CVE-2025-0438 highlight various critical vulnerabilities in Google Chrome, including an out-of-bounds memory access in the V8 engine that could grant a remote attacker the ability to exploit heap corruption via a crafted HTML page (CVE-2025-0434). They also include an inappropriate implementation in the navigation component in Google Chrome on Android that could allow a remote attacker to perform UI spoofing via a crafted HTML page (CVE-2025-0435). In addition, CVE-2025-0436 (Integer overflow in Skia), CVE-2025-0437 (Out of bounds read in Metrics) and CVE-2025-0438 (a stack buffer overflow in Tracing) are noted vulnerabilities in Google Chrome . Exploiting these flaws could allow remote attackers to execute arbitrary code or compromise heap or stack memory via a crafted HTML page which could lead to arbitrary code execution..
Microsoft Edge and other Chromium-based browsers could be impacted, depending on the version of Chromium they are using. Always ensure these browsers are updated with the latest patches to mitigate any risk.
Lookout Analysis
These vulnerabilities exist in a variety of components of Chrome, which broadens the risk surface for any organization that allows its employees to use the browser. Each of the components is triggered at various points of loading and interacting with mobile webpages. These vulnerabilities are a reminder of the potential outsized impact on mobile fleets - especially when they exist in everyday apps such as mobile browsers. In addition to gaining remote access to vulnerable devices, successful exploits in browsers also frequently grant the attacker access to the same permissions as the browsers.
Each of the vulnerabilities disclosed can be exploited via a maliciously crafted webpage, which means that attackers can deliver them as URLs in the same way they would deliver phishing attacks on mobile. This means they would likely socially engineer an individual through SMS, iMessage, WhatsApp, Telegram, Instagram, LinkedIn, or any of the countless messaging and social media apps on mobile devices. A successful attack could lead to continued data leakage and risk for enterprise organizations.
Authors
Lookout
Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.
