ISN 2025-38: Critical Chromium Vulnerabilities CVE-2025-10200 & CVE-2025-10585

First published 21 October 2025

• CVSS:3.1: 9.8- Critical (CVE-2025-10200)

• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• CVSS:3.1: 9.8- Critical (CVE-2025-10585)

• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• CVSS: 3.1: 8.8-High (CVE-2025-10201)

• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

• CVSS 3.1 : 8.8-High (CVE-2025-10500)

• Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

• CVSS 3.1: 8.8-High (CVE-2025-10501)

• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

• CVSS 3.1: 8.8-High (CVE-2025-10502)

• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A number of security vulnerabilities have been found in Chromium, a web browser used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

One is tracked as CVE-2025-10200 and rated high by NVD.
IGEL does not consider any user interaction as necessary, which changes the rating to “critical” according to the Vector String specified above. 

Critical CVE-2025-10200: Use after free in Serviceworker in Google Chrome on Desktop prior to 140.0.7339.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) [NIST]

Critical CVE-2025-10585: Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This CVE is documented to be exploited in the wild by CISA(BOD 22-01) and is included in the Known Exploited Vulnerabilities Catalog since 23^rd of September. For further information please visit the linked Webpages.

High CVE-2025-10201: Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High) [NIST]

High CVE-2025-10500: Use after free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

High CVE-2025-10501: Use after free in WebRTC in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

High CVE-2025-10502: Heap buffer overflow in ANGLE in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Update Instructions

• OS 12: Update to the Chromium app in version 140.0.7339.185 or newer from the IGEL App Portal.

• OS 11: Update to IGEL OS version 11.10.430 or newer.

References

• Chrome Releases Blog( 9^th September): https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html https://chromium.googlesource.com/chromium/src/+log/140.0.7339.81..140.0.7339.133?pretty=fuller&n=10000

• Chrome Releases Blog ( 17^th September): https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html