Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Use-after-free in Google Chrome Digital Credentials

IdentifiersCVE-2025-13633CWE-416· Use After Free

CVE-2025-13633 is a high-severity use-after-free vulnerability in the Digital Credentials component of Google Chrome. It affects Chrome versions prior to 143.0.7499.41. According to the provided content, a remote attacker who has already compromised the renderer process can trigger heap corruption via a crafted HTML page. The flaw is in Chrome’s Digital Credentials feature, and the memory-safety condition can potentially be leveraged after renderer compromise to corrupt heap state and further exploit the browser.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in heap corruption and may enable further compromise of the browser. The provided content indicates potential outcomes including arbitrary code execution, credential theft, information disclosure, or denial of service/crash conditions. In practical terms, because the attacker must already control or compromise the renderer process, this vulnerability is most significant as a post-compromise primitive that may be used to escalate impact beyond the renderer sandbox or to access sensitive credential-related data handled by the Digital Credentials feature.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting use of untrusted websites and untrusted browser extensions, since the provided content indicates exploitation involves a crafted HTML page and a pre-existing renderer compromise. Restrict installation of extensions, enforce rapid browser restarts after updates, and prioritize patching on systems exposed to high-risk browsing activity. No specific vendor workaround beyond updating is provided in the supplied content.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 143.0.7499.41 or later. The content states the issue was fixed in Chrome 143.0.7499.41+, with Chrome 143 stable releases delivering the patch. For downstream Chromium-based browsers, apply the corresponding vendor updates once available. Debian guidance in the provided content recommends upgrading Chromium packages to 143.0.7499.40-1~deb12u1 for bookworm or 143.0.7499.40-1~deb13u1 for trixie as part of broader Chromium fixes, but for Chrome specifically the cited fixed version for this CVE is 143.0.7499.41 or later.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
cyberthroneNews
Apr 10, 2026
Google Device Bound Session Credentials - Now GA in Chrome 146 - TheCyberThrone

One of four high-severity vulnerabilities patched in Google Chrome 143; described as enabling remote code execution, privilege escalation, or sandbox escape when chained.

Read more
learn microsoftNews
Dec 9, 2025
Microsoft December 2025 Security Updates / FYI - Microsoft Q&A

Specific non-Microsoft CVE republished by Microsoft for Microsoft Edge (Chromium-based).

Read more
learn microsoftNews
Dec 9, 2025
Microsoft December 2025 Security Updates / FYI - Microsoft Q&A

A republished non-Microsoft CVE affecting Microsoft Edge (Chromium-based).

Read more
cyberthroneNews
Dec 8, 2025
Google Chrome 143 Stable Channel Released - TheCyberThrone

A use-after-free in Chrome’s Digital Credentials component that can enable heap corruption and potentially credential theft or code execution, especially after renderer compromise.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-13633
NVD
nvd.nist.gov/vuln/detail/CVE-2025-13633
MITRE CWE · CWE-416
Use After Free
Vendor Advisory
chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html
Issue Tracking
issues.chromium.org/issues/458082926