Rank: Newbie
Groups: Member
Joined: 3/20/2025
Posts: 1
|
Is the browser control affected by these CVE's, and is so, when can we expect an update?
---
Google Chrome versions prior to 134.0.6998.88 (Linux), 134.0.6998.88/.89 (Windows) and 134.0.6998.88/.89 (Mac)
---
Several vulnerabilities have been fixed in the Google Chrome browser. They allow an unauthenticated remote attacker:to execute arbitrary code,to cause a denial of service,to illegally take knowledge of potentially sensitive data,to compromise data integrity.Note: Google signals they are aware of an exploit for CVE-2025-24201. However, Cert-IST is not aware of any public exploit code.
---
These vulnerabilities are due to:CVE-2025-1920, CVE-2025-2135: type confusion issues in V8 leading to heap memory corruption. They allow an unauthenticated remote attacker, by tricking the user into opening a specially crafted HTML page, to cause a denial of service or execute arbitrary code. CVE-2025-2136: a use-after-free issue in Chromium's developer tools leading to heap memory corruption. It allows an unauthenticated remote attacker, by tricking the user into opening a specially crafted HTML page, to cause a denial of service or execute arbitrary code. CVE-2025-2137: an out-of-bounds read issue in V8. It allows an unauthenticated remote attacker, by tricking the user into opening a specially crafted HTML page, to compromise data confidentiality or cause a denial of service. CVE-2025-24201: an undetailed out-of-bounds write issue in the GPU. It allows an unauthenticated remote attacker to compromise data integrity or cause a denial of service.
---
-: I also have a udp joke, but you might not get it :-
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,407
|
Hi,
Our current version is based on Chromium v126. Since this is before v134, it would be affected by these issues. However we do not have a time line on when we can release an update yet because for security purpose, the details and fix for these issues are not public yet. We will need to wait for Google to publicially release both first before we can decide when/how to port the fix into our codebase.
Thanks!
|
Rank: Newbie
Groups: Member
Joined: 4/15/2016
Posts: 8
|
I understand updating is a lot of work, but it is high time you do that. Chromium 126 is the version of June/July 2024. A year is a long time in software. I can fake the user agent, but it is still possible to see actual Chromium version with this command in Developer Tools: navigator.userAgentData.getHighEntropyValues(["fullVersionList"]).then(console.log); In the EO developer console, it returns data including this: brands: Array(2) 0: {brand: 'Not/A)Brand', version: '8'} 1: {brand: 'Chromium', version: '126'} Current stable Chromium version is 138 for all OS platforms and WebView. Only FuchsiaWebEngine is still older: 134.0.6998.221 (but still at a higher version than 134.0.6998.88). See https://chromiumdash.appspot.com/releases?platform=WindowsPersonally, I don't think these vulnerabilities will affect our -heavily sandboxed- product based on the EO browser control, but unfortunately security officers only look at the Chromium version :(
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,407
|
Hi,
We are working on updating our Chromium engine version and currently we are looking to have an update early next month.
Thanks!
|