Google Chrome has confirmed in a statement on 20 March that a security researcher has discovered a critical vulnerability affecting all users across every platform—except, unsurprisingly, iOS.
Full technical details have not been published to give users time to protect their systems, the severity of the issue is undeniable. CVE-2025-2476 is a critical-rated use-after-free memory issue in the Lens component of the Chrome browser.
This, says the Vulners vulnerability database, could enable “remote attackers to exploit heap corruption via crafted HTML.” Simply said, a malicious web page could leave businesses open to attack.
According to the MITRE Common Weakness Enumeration database, a use-after-free vulnerability as being where memory is reused or referenced after it has been freed. “If malicious data is entered before chunk consolidation can take place,” MITRE explained, “it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.”
Be Cautious When Visiting Untrusted Websites
Mayuresh Dani, Manager, Security Research, at Qualys, says: “Though a lot of details about this vulnerability are not disclosed, as far as I know, Google Lens cannot be used directly from an HTML page since native API for embedding it into web pages are not available.”
Hence, Dani says this attack will involve a social engineering aspect enticing unsuspecting users to search for some information using images, or translate text, and identify objects within a webpage or a photo. Doing so will allow an unauthenticated, remote attacker to exploit the use-after-free vulnerability and exploit arbitrary code on the targeted system.
“Users can protect themselves from such attacks by being cautious when visiting untrusted websites and avoiding using the Google Lens feature until Google Chrome is updated,” Dani adds.
A Glitchy Free-For-All
“Imagine you’re at an amusement park with a wristband that gets you into a special ride,” says Saeed Abbasi, Manager, Vulnerability Research at Qualys. “After your turn, you return the wristband to the attendant and leave. But later, you sneak back and flash the same old wristband—now expired—to try getting on the ride again. The catch? The ride’s now open to someone else with a new wristband. In Chrome, this “use-after-free” bug is like using a piece of memory after it’s been returned to the system, creating a glitchy free-for-all.”
Abbasi says this trick messes up Chrome’s memory, the “heap” (Chrome’s memory pool) gets scrambled, leading to unpredictable chaos. In short CVE-2025-2476 is a memory flaw where attackers use a shady webpage to sneak past Chrome’s defenses, potentially taking over your browser like a rogue rider at the park.
“This flaw allows a remote attack: simply visiting a malicious webpage can trigger the exploit. Attackers gain the power to run their own code on your computer. Since it’s rated as a critical vulnerability, the damage could be extensive—such as losing control of your browser. Criminals could steal passwords, credit card details, and other sensitive information stored in Chrome. They might also install malware, ransomware, or spyware without you realizing it. Because the threat occurs through a webpage, you may not even notice until the harm is already done. It’s recommended to update chrome now,” Abbasi ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.